October  2012  www.csoooline.com  $9.00  BUSINESS  RISK  LEADERSHIP 


TECH:  Federated  Identity 
Still  Faces  Hurdles  6 

RISK:  3  Sample  Tabletop  Exercises  ie 

LEAD:  Security  Awareness  Training: 
Wonderful  or  Wasteful?  20 


Because  no  two  businesses  are  the  same. 

Introducing  the  flexible  new  range  of  IBM  System  x  servers. 

No  two  companies  have  the  same  IT  requirements.  That’s  why  IBM®  has  a  new  range  of  System  x® 
servers,  built  to  handle  workloads  ranging  from  simple  tasks  to  complex  cloud-based  and  business 
applications.  Featuring  the  latest  Intel®  Xeon®  E5-2600  and  E5-2400  series  processors,  these 
servers  can  be  customized  so  that  you  can  select  features  you  need  today  and  add  more  as  your 
business  needs  change.  Additionally,  IBM  Business  Partners  can  help  you  find  the  server  that 


IBM  System  Storage®  DS3500  Express 


See  for  Yourself 

The  new  IBM  System  x  Selection  Tool  can  help 
you  choose  the  right  server  and  save  money. 
Visit:  ibm.com/systems/flexibility 


$5,499 

OR  S135/M0NTH  FOR  36  MONTHS' 

PN:  1746A2S 

6  Gbps  SAS  system  delivers  midrange  performance  and  scalability  at  entry-level  prices 
Up  to  192  drives:  high  performance  and  nearline  SAS,  SSD  and  SEP  SAS  drK/es 
Four  interface  options:  6  Gbps  SAS,  1  Gbps  &  10  Gbps  iSCSI/SAS  and  8  Gbps  FC/SAS 


Contact  the  IBM  Concierge 
to  help  you  connect  to  the 
right  IBM  Business  Partner. 

1-866-872-3902 

(mention  102JE09A) 


'IBM  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers. 
Monthly  payments  provided  are  for  planning  purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments;  please 
contact  your  IBM  Global  Financing  representative  for  actual  monthly  amounts.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice. 

IBM  hardware  products  are  manufactured  from  new  parts  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit 
http://www.ibm.com/servers/support/machine_warranties.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services.  IBM,  the  IBM  logo,  System  Storage  and  System  x 
are  registered  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other 
companies.  For  a  current  list  of  IBM  trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  United  States  and  other 
countries.  All  prices  and  savings  estimates  are  subject  to  change  without  notice,  may  vary  according  to  configuration,  are  based  upon  IBM's  estimated  retail  selling  prices  as  of  7/2/12  and  may  not  include 
storage,  hard  drive,  operating  system  or  other  features.  Reseller  prices  and  savings  to  end  users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United 
States.  IBM  may  not  offer  the  products,  features  or  services  discussed  in  this  document  in  other  countries.  Contact  your  IBM  representative  or  IBM  Business  Partner  for  the  most  current  pricing  in 
your  geographic  area.  ©2012  IBM  Corporation. 


October  2012  Volume  11,  Number  8 


Let’s 

Rethink  This 

26  Executives 
say  security  is 
important,  but 
they  won’t  put 
their  money  where 
their  mouth  is. 

We  discuss  that 
and  other  findings 
from  this  year’s 
Global  Information 
Security  Survey. 

BY  GEORGE  V.  HULME 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 
32  Last:  Happy  Hour 


tech 

6  Federated  Identity  Management 
Still  Can’t  Clear  Logistical  Hurdles 

8  Bitcoin  Exchange  Loses  $250,000  to 
Hackers  With  Stolen  Encryption  Keys 

10  Yeah,  I  Friended  Gregory  Evans.  What  of  It? 

11  Senators  Urge  Obama  to  Issue 
Executive  Order  on  Cybersecurity 

12  Hackers  Can  Steal  Bank  Info  by  SMS 
and  Lift  Passwords  From  Your  Brain 

14  Researchers  Reveal  a  Java  Vulnerability,  Which 
Prompts  a  Quick  Patch  but  Enables  Exploits 

15  What  Will  Hackers  Target 
Next?  It  Could  Be  Your  Brain 

risk 

16  Are  You  Really  Ready  for  Disaster? 

19  Video  Analysis  Keeps  Looking  for  Its  Place 

lead 


20  Point/Counterpoint:  Should  Employees 
Receive  Security  Awareness  Training? 

22  Should  You  Be  Responsible  for  BYOD  Policy? 

24  Developing  Metrics  That 
Measure  Human  Awareness 

25  Planning  for  the  Future  Workforce 


October  2012  www.csoonline.com  l 


Chef  Ramsay  Will  See  You  Now 

If  you’ve  never  seen  chef  Gordon  Ramsay  in  his  early 
television  appearances-the  original  UK  Kitchen  Nightmares  in 
particular-they’re  really  spectacular. 

There  wasn't  nearly  so  much  screaming  and 
posturing  in  the  beginning  as  you'll  find  (alas) 
in  his  later,  U.S. -centric  work.  However,  there 
is  still  plenty  of  conflict  and  pointed  criticism, 
with  some  swearing  and  insults  and  raised 
voices  in  the  mix. 

As  a  child  of  the  mid-South-that's  going 
to  be  my  excuse-1  found  blatant  displays 
of  aggression  very  off-putting.  Emphasis  on 
good  manners  and  appearances,  that’s  what  I 
absorbed  growing  up,  regardless  of  whatever 
else  people  were  trying  to  teach  me.  “Catch 
more  flies  with  honey,”  that’s  my  preferred 
model  for  discourse. 

Perhaps  it’s  a  result  of  growing  older,  per¬ 
haps  it’s  my  move  to  New  England,  or  working 
in  publishing,  or  perhaps  it’s  a  steady  diet  of 
Gordon  Ramsay  and  court  trials  (I've  just  fin¬ 
ished  jury  duty  on  a  Superior  Court  civil  trial,  a 
contract  dispute)  and  political  commentary— 
whatever  the  cause,  I’ve  come  to  appreciate  the 
constructive  elements  of  criticism  and  conflict. 

There  are  simply  times  when  pleasant  discus¬ 
sion  and  positivity  don’t  bring  about  change 
with  the  required  speed.  That’s  what  I’ve 
learned  about  Ramsay:  In  each  episode  he  only 
has  a  few  days  to  get  a  restaurant  train  wreck 
back  on  track.  This  process  invariably  requires 
changing  the  behavior  and  mind-set  of  an  ob¬ 
stinate  owner  or  chef.  If  Ramsay  tiptoes  in,  the 
restaurant  won’t  change  and  won't  be  saved. 


Now  it’s  interesting  to  consider  this  point  of 
view  in  the  context  of  security  leaders.  I  don’t 
think  security  is  overpopulated  with  delicate 
flowers,  failing  to  make  their  points  loudly.  (An 
opinion  I’ve  formed  after  10  years’  observation 
and  interaction.)  There  might  even  be  a  select 
few  who  should  try  turning  the  knob  down,  not 
up,  when  making  their  views  known  or  pointing 
out  how  others  need  improvement. 

Rather,  I  bring  up  the  Gordon  Ramsay  style  of 
management  to  ask  this  question: 

Do  people  have  to  shout  at  you  to  get  you  to 
embrace  change? 

-Derek  Slater,  Editor  in  Chief, 
dslater@cxo.com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  tor  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.0.  Box 
9208,  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham,  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632,  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  tee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive.  Danvers,  MA  01970.  www.copyright.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  {.  Address  inquiries  to  CSO.  P.0.  Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  Is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.0.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  OCTOBER  2012 


Editor  in  Chief 

Derek  Slater 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Managing  Editor 

Bill  Brenner 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Senior  Editor 

Joan  Goodchild 
igoodchild@cxo.com 
508  9  88-7994 
Twitter:  @msjoanieg 

Copy  Editor 

Colleen  Barry 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  Mary  Brandel, 
John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer, 
Jeremy  Kirk,  Richard  Power, 
Jaikumar  Vijayan,  Bob  Violino 

Editorial/Advertising/ 
Business  Off  ices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 


WORLDWIDE- 


Tim  Llewellyn 


■-  f.'i 


m 


im 


i-v,: 


lf§ 


dJ  CD 


T£2 


M 


i 

UH»  fi 


.: 


HP 


Hi 


I  fif- 


ISs*S8iSsS! 


No  other  company  can  offer  you  more  ways  to 
create,  use  and  manage  secure  identities  in  a 
trusted  environment  than  HID  Global. 

From  smart  cards  and  printers  to  smart  phones  to  managing  identities  in  the 

cloud,  we  provide  solutions  spanning  the  entire  lifecycle  of  your  secure  identities. 

Learn  more  about  how  HID  can  help  you  to  create,  use  and  manage  your  secure 
identities  visit:  HIDGIobal.com/create-use-manage-cso 

6  2012  HID  Global  Corporation/ASSA  ABLOY  AB.  All  rights  reserved.  HID.  HID  Global,  the  HID  Blue  Brick  logo,  the  Chain  Design.  ICLASS  SE,  Secure  Identity  Object,  SIO  and  Seos  are 
trademarks  or  registered  trademarks  of  HID  Global  or  its  licensor(.s)/supplier(s)  in  the  US  and  other  countries  and  may  not  be  used  without  permission.  Alt  other  trademarks,  service  marks, 
and  product  or  service  names  are  trademarks  or  registered  trademarks  of  their  respective  owners. 


Celebrating  Teamwork 

I  have  met  with  many,  many  security  leaders  in  the  10 
years  since  we  launched  CSO.  They  continue  to  do  great  and 
amazing  things  to  manage  their  organizations’  risks,  advance  the 
profession  and  develop  the  next 
generation  of  security  leaders. 

Over  those  years,  we  have  recognized  many 
of  the  most  deserving  leaders  with  the  CSO 
Compass  Awards.  But  all  of  them  tell  us  one 
thing  about  their  success:  They  didn’t  do  it 
alone.  Security  and  risk  management  is  a  game 
of  cooperation,  partnership  and  teamwork.  It’s 
time  to  recognize  those  teams. 

The  CS040  Awards  will  recognize  practitioner 
organizations  and  teams  that  have  delivered 
groundbreaking  business  value  through  the 
innovative  application  of  risk  and  security  con¬ 
cepts  and  technologies. 

This  is  an  opportunity  for  us  to  recognize 
more  than  just  the  leaders  in  this  business- 
although  we  will  continue  to  do  that  with  the  that  might  be  deserving  of  this  award.  You  can 

CSO  Compass  Awards.  It’s  a  chance  for  us  to  submit  nominations  for  the  CS040  Awards  at 

expand  our  recognition  of  the  teamwork  that’s  www.csoconfab.com. 
necessary  to  successfully  address  risk  in  today’s  I  hope  that  you  can  also  join  us  when  we 
enterprises.  recognize  the  winners  at  the  CS040  Security 

I  encourage  you  to  look  around  at  your  peers  Confab  +  Awards  next  April  in  Atlanta, 
and  within  the  walls  of  your  own  organiza-  -Bob  Bragdon,  publisher 

tion  to  find  those  examples  of  team  excellence  bbragdon@cxo.com 


Advertiser  Index 

Avigiion . 

Cisco  Systems.  Inc 

CSO . 

WDCorp . 


C2 


Executive  Committee 
President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources  Patricia 
Chisholm 

SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  &  Custom 
Solutions  Group  Charles  Lee 
SVP.  Group  Publisher  &  CMO  Bob  Melk 
SVP  AGenerai  Manager,  Online 
Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager,  CIO 
Executive  Council  Pam  Stenson 
SVP  of  Digital.  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
Senior  National  Sales 
Manager  PerMelker 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Account  Director.  Integrated 
Sales  West  MaryHazelton 
Sales  Associate  Sarah  Nadeau 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovltch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozesk)  of  IDG  List  Services 
at  508  820-8106  or  sfazesAmiidg/rstcom 

Reprints  &  Permisions 

For  information  about  repnnts  and 
copyright  permissions,  please  contact 
The  YGS  Group.  800-290-5460.  ext  100. 
csoiaitheygsgroup.com 


4  ww. csoonltne.com  OCTOBER  2012 


Webb  Chappell 


avigilon.com 


Introducing  the  easy-to-use  Avigilon  Control  Center  5.0 

ACC  5.0  is  our  most  innovative  and  advanced  surveillance  software  yet. 
Its  easy-to-use  interface  allows  you  to  quickly  search  through  high-definition 
footage,  while  new  features  offer  crash-proof  enterprise  server  management, 
an  intelligent  virtual  matrix  to  easily  view  and  control  footage  on  your  remote 
workstation  or  video  wall,  and  the  ability  to  share  and  manipulate  video  with 
others  in  real  time.  Learn  more  at  avigilon. com/ACC5 


aviGiLon 

THE  BEST  EVIDENCE- 


TOOLS  SYSTEMS 


NETWORKS 


DATA 


PRIVACY 


★  *  ★ 

★  .  ★  -r  .  ★ 

★  ^  *r  i 

JL. 

★  X  ★  X 

x  .  ★  .  A' 

★  ★  ★  ★  ★ 


-4~ ' '  * 


6204784501 


3780348745 


Federated  Identity  Management 
Still  Can’t  Clear  Logistical  Hurdles 

Years  after  it  was  hailed  as  the  next  big  thing,  federated  identity  management  hasn’t  been  widely 
adopted  because  partners  don’t  benefit  equally  and  liability  remains  a  concern  by  bill  brenner 


IN  2005,  ADVOCATES  OF  FEDERATED 
identity  management  were  almost  giddy 
when  the  Organization  for  the  Advancement 
of  Structured  Information  Standards  (OASIS) 
adopted  version  2.0  of  the  Security  Assertion 
Markup  Language  (SAML). 

Federated  ID  lets  business  partners  auto¬ 


matically  access  each  other’s  networks  with¬ 
out  requiring  piles  of  passwords.  Advocates 
said  SAML  2.0  would  make  it  easier  for  com¬ 
panies  to  form  federations  because  it  eased 
compatibility  problems  that  kept  many  orga¬ 
nizations  from  deploying  the  technology. 

The  Liberty  Alliance— a  global  consortium 


of  vendors  and  end  users  working  to  develop 
open  federated  identity  standards  for  Web 
services-began  testing  tools  that  incorporate 
SAML  2.0  soon  after  the  standard’s  adoption, 
and  vendors  lined  up  for  the  chance  to  get  the 
alliance’s  seal  of  approval.  Around  that  time, 
Mike  Rothman-then  president  and  principal 


6  www.csoonline.com  OCTOBER  2012 


Thinkstock 


EXECUTIV 


VIEWPOINT 


ADVERTORtAL 


Dwayne  Melangon 

CHIEF  TECHNOLOGY  OFFICER, 
TRIPWIRE 

Dwayne  Melangon  is 
Tripwire's  Chief  Technology 
Officer,  where  he  owns  a 
critical  role  in  driving  and 
evangelizing  the  company's 
global  overall  product  strat¬ 
egy.  He  brings  over  25  years 
of  security  software  experi¬ 
ence,  and  is  responsible  for 
leading  the  company's  long 
term  product  strategy  to 
meet  the  evolving  data 
security  needs  of  global 
enterprises.  Melangon  is 
certified  in  both  IT  manage¬ 
ment  and  audit  processes, 
holding  both  ITIL  and  CISA 
certifications,  and  is  a  fre¬ 
quent  speaker  at  national 
and  regional  industry  events. 


FOR  MORE  INFORMATION 

Visit  www.tripwire.com 


Custom  Solutions  Group 


Security  and  Risk: 

Getting  IT  and  business  to  see  eye-to-eye 


When  it  comes  to  threats  and  vulnerabilities, 

IT  security  professionals  and  their  nontechni¬ 
cal  counterparts  usually  don’t  speak  the  same 
language.  The  key  to  better  communication 
may  be  learning  to  talk  about  risk  in  ways  the 
C-suite  can  understand,  says  Tripwire  CTO 
Dwayne  Melangon. 

Why  is  there  a  disconnect  between  busi¬ 
ness  people  and  technology  people  with 
regard  to  understanding  security  vulner¬ 
abilities  and  risk? 

More  and  more  frequently,  technology  and 
security  professionals  have  to  appeal  to 
nontechnology  executives  for  their  budgets. 
Technical  people  are  comfortable  talking 
about  the  nuts  and  bolts  of  the  technology 
they  use  and  the  processes  they  follow.  But 
a  discussion  of  those  topics  doesn’t  connect 
well  with  nontechnical  executives.  When  we 
talk  about  risk,  there  is  more  common  ground, 
as  nontechnical  executives  tend  to  be  pretty 
comfortable  making  business  decisions  with 
limited  data.  However,  they  don't  always  rec¬ 
ognize  the  relationships  between  technologies 
and  processes  and  the  impact  those  relation¬ 
ships  have  on  the  business. 

What  problems  arise  from  this  inability  to 
communicate? 

Security  professionals  can  get  frustrated  or 
feel  marginalized  because  they  make  recom¬ 
mendations  that  don't  get  accepted  when 
nontechnical  executives  don’t  recognize  the 
value  of  their  suggestions.  A  by-product  of 
this  is  they  are  either  given  insufficient  security 
resources,  or  the  allocation  of  those  resources 
is  misaligned  with  where  the  real  issues  are. 

So  they  have  to  make  potentially  harmful 
trade-offs,  which  can  result  in  weaker  security 
that  can  threaten  the  business’s  success.  Also, 
because  nontechnical  people  don’t  neces¬ 
sarily  recognize  or  appreciate  how  informa¬ 
tion  security  intertwines  with  the  rest  of  the 
business,  security  often  doesn’t  have  a  seat 
at  the  table  when  it  comes  to  setting  strategic 
business  priorities  or  determining  where  to 
invest  resources. 


How  can  this  gap  be  bridged? 

A  key  factor  is  finding  a  mechanism  to  get  every¬ 
body  on  the  same  page.  Things  like  integrated 
risk  assessments  can  help.  These  assessments 
look  not  only  at  security  risks,  but  also  at  other 
parts  of  the  business:  What  are  our  legal  risks, 
what  are  our  financial  risks,  and  what  are  the  ex¬ 
ecution  and  operational  risks  beyond  IT?  Then 
risk  assessments  peg  the  relationships  among 
these  processes:  What  role  does  IT  security 
serve  in  key  strategic  objectives?  How  does  IT 
impact  our  ability  to  drive  revenue  or  retain  cus¬ 
tomers  or  protect  our  reputation  in  the  market? 
When  you  can  clearly  show  how  IT  services 
support  and  protect  the  strategic  objectives  of 
the  business,  you  can  begin  to  have  a  conversa¬ 
tion  that’s  based  on  facts,  data,  and  observable 
risks,  not  just  gut  feel.  That  also  enables  you  to 
map  spending  and  resource  allocations  more 
appropriately  across  the  business. 

How  can  Tripwire  help? 

The  industry  knows  Tripwire  for  best  of  breed 
file  integrity  management,  but  we  are  much 
more  than  that,  Tripwire  offers  security  solu¬ 
tions  to  reduce  risk,  ensure  systems  and  data  se¬ 
curity  and  automate  regulatory  compliance.  We 
provide  continuous  visibility  into  the  security 
of  an  organization’s  IT  infrastructure.  Our  prod¬ 
ucts  show  the  value  of  information  security  by 
mapping  individual  applications  and  systems 
to  the  business  purpose  they  serve;  the  pro¬ 
cesses  they  support;  their  relative  value  to  the 
organization;  and  what  the  impact  would  be  if 
they  were  compromised.  We  help  organizations 
improve  security  through  objective  measure¬ 
ment  of  the  strengths  of  their  security  controls 
so  they  can  quickly  determine  which  systems 
and  components  they  can  trust,  how  much  they 
can  trust  them,  and  get  definitive  answers  about 
howto  address  security  weaknesses.  Tripwire’s 
dashboards  give  a  business  person  a  red-yellow- 
green  status  report  of  how  they’re  addressing 
risks  without  going  down  to  a  nuts-and-bolts 
level.  IT  managers  can  drill  down  to  measure 
risks  and  prioritize  the  actions  needed  to  miti¬ 
gate  risk,  then  use  the  same  data  to  provide  clear 
guidance  for  their  IT  line  staff.  ■ 


Tech 


analyst  at  Security  Incite,  now  analyst  and 
president  at  Securosis-wrote  a  column  about 
the  market  potential  for  federated  ID,  saying 
that  while  the  technology  wasn’t  new,  the 
more  mature  SAML  2.0  standard  and  the 
advent  of  both  standalone  and  integrated 
federation  capabilities  within  identity-man¬ 
agement  products  made  it  more  feasible  for 
companies  to  “dip  their  toes  into  the  federa¬ 
tion  waters.” 

Fast  forward  to  2012.  More  companies  have 
indeed  dipped  a  toe  into  those  waters.  But  has 
the  technology  finally  made  it  to  prime  time? 

Not  really,  according  to  two  academic 
scholars  specializing  in  the  economics  of 
information  security  technology.  Many  organi¬ 
zations  still  balk  at  the  liability  concerns  and 
lack  of  economic  balance. 

In  a  paper  called  “Economic  Tussles  in  Fed¬ 
erated  Identity  Management,”  authors  Susan 
Landau,  a  visiting  computer  science  scholar 
at  Harvard  University,  and  Tyler  Moore,  a  visit¬ 
ing  assistant  professor  at  Wellesley  College, 
wrote  that  while  some  federated  ID  man¬ 
agement  systems  have  experienced  modest 
success-including  Shibboleth  in  the  higher 


solve  the  liability  issue-who  would  bear  the 
costs  when  federated  systems  inappropriately 
shared  information  or  incorrectly  authenticat¬ 
ed  a  user-is  at  the  root  of  the  problem.” 

The  authors  go  on  to  say  that  the  design  of 
federated  identity  management  systems  cre¬ 
ates  a  classic  case  of  an  economic  tussle. 

When  the  systems  have  been  successful, 
it  has  been  because  both  sides  enjoyed  ben¬ 
efits.  In  the  broader  market,  that  objective  is 
hard  to  meet. 

“Such  systems  have  so  far  failed  to  achieve 
traction  when  the  systems  are  weighted  so 
that  the  benefits  largely  accrue  to  only  one 
side,”  they  wrote.  “Rather  than  liability  alone, 
the  problem  is  actually  one  of  maladjustment 
to  the  economic  tussle.  Consequently,  if  one 
can  readjust  the  values  in  those  systems  so 
as  to  provide  clear-and  relatively  balanced- 
benefits  to  all  parties,  then  the  federated  sys¬ 
tem  is  much  more  likely  to  succeed." 

Landau  expanded  on  the  challenges-and 
opportunities— in  a  recent  interview  with  CSO: 

CSO:  When  we  asked  security  practitioners 
about  their  use  (or  lack  of  use)  between  2005 
and  2008,  we  would  always  hear  reservations 


“Such  systems  have  so  far  failed  to  achieve 
traction  when  the  systems  are  weighted  so  that 
the  benefits  largely  accrue  to  only  one  side.” 

-FROM  “ECONOMIC  TUSSLES  IN  FEDERATED  IDENTITY  MANAGEMENT” 


education  sector,  SAML  in  the  enterprise  sec¬ 
tor,  and  the  National  Institutes  of  Health’s 
program-the  technology  still  hasn’t  caught 
on  in  the  broader  market.  (The  full  paper  is 
available  online  at  http://privacyink.org/pdf/ 
weisiiidentity.pdf) 

"In  particular,  federated  identity  manage¬ 
ment  has  functioned  well  in  sectors  in  which 
the  parties  had  first  established  contracts, 
but  on  the  ‘open’  Internet,  where  the  Identity 
Providers  and  Service  Providers  might  not 
previously  have  had  a  relationship,  federated 
identity  management  has  experienced  slow 
adoption,"  they  wrote. 

“It  is  widely  believed  that  the  inability  to 


about  compatibility  and  trust  with  outside 
networks  and  so  on.  Are  those  still  major  con¬ 
cerns  in  2012? 

Landau:  Absolutely. 

CSO:  In  which  sectors  do  you  find  feder¬ 
ated  ID  to  be  the  best  fit? 

Landau:  Regulated  environments  cur¬ 
rently  seem  the  best  fit.  Thus,  for  example, 
the  pharmaceutical  and  financial  sectors 
would  be  good  fits  (as  might  medicine  more 
generally).  The  [Department  of  Defense] 
environment  is,  of  course,  another  fit.  Control 
of  critical  infrastructure  would  be  another 
place  with  a  good  fit,  but  that  is  a  very  small 
market  sector. 


Bitcoin  Exchange 
Loses  $250,000  to 
Hackers  With  Stolen 
Encryption  Keys 

HACKERS  STOLE  ABOUT 
$250,000  from  Bitfloor,  a  Bitcoin 
exchange,  last  month,  and  it  does 
not  have  the  money  to  reimburse 
account  holders,  according  to  the 
website’s  founder. 

Bitcoins  are  an  electronic  cur¬ 
rency  generated  as  computers  solve 
a  changing  mathematical  problem. 

A  Bitcoin  is  essentially  just  a  secret 
number,  which  is  protected  from 
unauthorized  transfers  by  public 
key  cryptography.  Bitfloor  allowed 
account  holders  to  buy  and  sell 
Bitcoins,  exchange  the  currency 
for  U.S.  dollars  and  transfer  the 
money  using  the  Automated  Clear¬ 
ing  House  system. 

The  cryptography  wrapped 
around  Bitcoins  is  designed  to  make 
it  nearly  impossible  to  derive  the  pri¬ 
vate  keys  needed  to  gain  possession 
of  the  secret  number.  But  in  the  case 
of  Bitfloor,  hackers  found  the  keys. 

Roman  Shtylman,  Bitfloor’s 
founder,  wrote  on  a  forum  that  the 
hackers  obtained  an  unencrypted 
backup  of  the  keys,  which  were  then 
used  to  transfer  coins  held  by  Bit- 
floor.  The  backup  “was  made  when 
I  manually  did  an  upgrade  and  was 
put  in  the  unencrypted  area  on  disk,” 
he  wrote.  -Jeremy  Kirk 


8  www.csoonline.com  OCTOBER  2012 


MongoDB 


SECURITY 


TM 


NEWSLETTER 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


r  tm  , 


y4T 


>0**4/V0, 


'Ar*of 


>A»f 


Subscribe  today! 


0,0  >-00, 


1  '"Civ, 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


ln'«^  U 


U.S. 


ar*irl,L.  'Tsii 0flt* 


*$:** 


For  more  information  please  visit 

vwvw.Security5mart.com 


Security  Smart  is  published  by  CS0,  a  business  unit  of  CX0  Media.  ©  201 2  CX0  Media  Inc. 


cso 


BUSINESS  RISK  LEADERSHIP 


Tech 


Bill  Brenner,  managing  editor 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


IU.UJ4"l"!'n51 


SOME  OF  MY  SECURITY  FRIENDS 
couldn’t  resist  pointing  out  that  I’m  connect¬ 
ed  to  Gregory  Evans  on  Facebook.  The  thing  is, 
there  are  good  reasons  for  me  to  follow  him. 
Not  that  I  think  it’s  really  him. 

Facebook  sent  a  couple  security  friends  an 
interesting  friend  suggestion  the  other  day: 
Gregory  Evans,  self-described  “number-one 
hacker,”  seen  by  many  as  the  ultimate  fake. 
The  message  also  said  that  my  comrades  had 
four  friends  in  common  with  Evans,  so  they 
checked  and  saw  that  I  was  one  of  the  four. 

So  you’ve  discovered  the  skeleton  in  my 
closet.  I  may  as  well  talk  about  it  then:  I  feel 
the  same  about  Evans  as  most  of  you  do. 

There  are  the  reams  and  reams  of  court 
documents  outlining  his  misadventures,  in¬ 
cluding  charges  of  fraud  and  plagiarism.  I’ve 
seen  no  evidence  that  Evans  would  have 
something  useful  to  bring  to  the  table  if  I  were 
to  interview  him. 

Instead  of  a  discussion  about  the  things 
security  practitioners  can  do  to  blunt  the  lat¬ 
est  attacks,  it  would  just  be  a  discussion  of 
all  the  stuff  he’s  accused  of.  I  wouldn’t  have  a 
choice:  the  accusations  and  court  rulings  are 
too  well-documented  to  avoid.  The  rest  of  the 
interview  would  just  be  him  telling  me  why  it’s 
all  wrong.  It  would  be  an  entertaining  discus¬ 
sion,  to  be  sure.  But  I’m  not  in  the  entertain¬ 
ment  business. 

“Evans,  who  plagiarizes 
content  rather  than 
write  it  himself,  is 
over  US$11  million  in 
debt  due  to  his  own 
history  of  crime  and 
his  inability  to  run  a 
company.”  -Attrition.org 


I  think  Attrition.org  accurately  captured 
the  problem  with  Evans  in  this  devastating 
critique: 

“A  supposed  'hi-tech  hustler,’  'WORLD’S 
NO  1  HACKER’  and  convicted  felon  (Bureau 
of  Prisons  #13432-112),  Gregory  Dante  Evans 
has  invented  himself  as  some  form  of  hacker 
with  the  ability  to  break  into  anything  and 
spin  that  supposed  knowledge  into  advising 
companies  on  security.  In  reality,  Evans  and 
his  company  have  little  real  knowledge  be¬ 
yond  pedestrian  hacking  techniques  found  in 
plagiarized  books  and  beginner  hacking  texts. 
His  company,  LIGATT  Security  International, 
offers  a  ‘suite’  of  products  that  are  bloated 
versions  of  common  tools  such  as  ping  and 
nmap.  Evans,  who  plagiarizes  content  rather 
than  write  it  himself,  is  over  US$11  million  in 
debt  due  to  his  own  history  of  crime  and  his 
inability  to  run  a  company.  Every  press  release, 
every  video  cast,  every  public  communica¬ 
tion  is  full  of  discrepancies,  half-truths  and 
outright  lies.” 

So  why  am  I  connected  with  him  on  Face- 


book?  Two  reasons: 

1. )  I’m  highly  skeptical  that  it’s  really 
Evans’s  profile.  The  comments  on  his  page 
smack  of  parody,  and  that  alone  makes  it 
worth  following.  What’s  not  to  love  about 
these  comments  during  the  week  of  Black 
Hat,  BSidesLV  and  Defcon: 

Gregory  Evans:  “Taco  bell!  Defcon/Black- 
hat/Bsides  was  rad!” 

Mike  Diaz:  “Chillin  at  Rain  with  Gregory 
Evans  waiting  on  Jay-Z,  Cee  Lo  and  Purrfect. 
Gregory  is  throwing  hundeds  at  [expletive] 
and  stirring  his  cosmo  with  a  diamond  straw. 
Ballin!” 

Gregory  Evans:  "Tha  club  cant  even  handle 
me  right  now" 

2. )  If  it  is  Evans,  my  journalistic  side  wants 
to  keep  watch  on  his  Facebook  activities. 

That  said,  I  have  yet  to  see  anything  news- 
or  blog-worthy. 

I  figure  being  friends  with  him  on  Facebook 
is  a  win-win:  I  get  to  be  entertained,  and  if  I 
get  unfollowed,  I  get  to  be  cool  because  I  was 
unfriended  by  Gregory  Evans. 


Yeah,  I  Friended  Gregory  Evans.  What  of  It? 


10  www.csoonline.com  October  2012 


Larry  Downing/Reuters 


'J3&S&£y 


Senators  Urge  Obama  to  Issue 
Executive  Order  on  Cybersecurity 


PRESIDENT  OBAMA  IS  BEING  URGED 
by  some  members  of  Congress  to  bypass  the 
legislative  body  after  its  failure  to  pass  cyber¬ 
security  legislation  over  the  summer. 

Sen.  Dianne  Feinstein  (D-Calif.),  the  chair¬ 
woman  of  the  Senate  Select  Committee  on 
Intelligence,  published  an  open  letter  last 
month  calling  on  Obama  to  issue  an  execu¬ 
tive  order  demanding  government  agencies 
and  critical  infrastructure  owners  implement 
better  controls  to  protect  their  computer 
networks. 

There  is  plenty  of  precedent  for  such  ac¬ 
tion.  Obama  has  used  executive  orders  to  by¬ 
pass  Congress  more  than  130  times.  Among  the 
most  notable  was  his  creation  of  a  version  of 
the  Dream  Act,  an  immigration-reform  law.  He 
also  used  an  executive  order  to  declare  that  the 
federal  government  would  no  longer  enforce 
the  Defense  of  Marriage  Act.  His  mantra  at 
these  times:  “We  can't  wait.” 

Feinstein  and  others,  including  Sen.  Jay 
Rockefeller  (D-W.  Va.),  who  made  a  similar  re¬ 
quest  in  a  letter  to  the  White  House  in  August, 
argue  we  cannot  wait  on  cybersecurity. 

The  White  House  said  after  Congress  failed 
to  pass  the  Cybersecurity  Act  of  2012  that  the 


president  was  considering  implementing  some 
of  the  goals  of  that  bill  by  executive  order. 

The  president  does  not  have  the  authority 
to  include  all  the  Cybersecurity  Act’s  measures 
in  an  executive  order,  as  Rockefeller  acknowl¬ 
edges.  For  example,  an  executive  order  could 
not  set  up  the  system  of  incentives  proposed 
in  the  bill  that  would  offer  federal  assistance 
to  organizations  that  met  security  standards 
and  were  facing  a  cyberthreat. 

But  Rockefeller  wrote  that  “many  compo¬ 
nents  of  the  Cybersecurity  Act  are  amenable 
to  implementation  via  executive  order,  normal 
regulatory  processes,  or  other  executive  ac¬ 
tion  under  the  authorities  of  the  Homeland 
Security  Act.” 

Joel  Harding,  a  retired  military  intelligence 
officer  and  information  operations  expert, 
says  it  is  likely  that  an  executive  order  would 
make  everyone  involved  unhappy  for  different 
reasons,  “but  at  least  it  provides  some  serious 
updates  to  the  2003  Presidential  Directive  on 
Cybersecurity.” 

“There  will  be  enough  meat  to  set  some 
standards  but  not  enough  to  make  a  mean¬ 
ingful  leap  in  cybersecurity,"  Harding  says. 

-Taylor  Armerding 


WISDOM  WATCH 


Vendor  Goofus 
and  Gallant 

Pfl  Apple.  In  the  worst  cases,  a  ven- 
Kf  dor  will  sit  on  a  flaw  long  after 
it’s  reported.  But  Apple  topped  that 
with  its  response  to  a  serious  SMS  vul¬ 
nerability  in  iPhones.  Instead  of  resolv¬ 
ing  it,  Apple  suggested  customers  just 
use  its  instant  messaging  service,  called 
iMessage,  which  only  works  on  iOS,  the 
operating  system  for  Apple  mobile  de¬ 
vices.  Sidestepping  the  main  problem 
and  refusing  to  offer  a  permanent  fix  is 
irresponsible  and  insulting. 

-JjL  Dropbox.  The  file-sharing  tool 
got  a  black  eye  when  user  names 
and  passwords  were  stolen  from  anoth¬ 
er  website  and  used  to  access  accounts. 
But  unlike  Apple,  Dropbox  responded 
clearly  and  decisively,  announcing  it 
would  offer  two-factor  authentication, 
which  makes  it  much  harder  for  bad 
guys  to  capture  a  user’s  credentials. 

-j/L  Siemens’  RuggedCom. 
I>J  \J  Siemens  deserves  credit 
for  quickly  acknowledging  a  vulnerabil¬ 
ity  in  RuggedCom’s  Rugged  Operating 
System  that  could  enable  traffic  spy¬ 
ing.  The  technology  is  used  in  critical 
infrastructure,  so  the  Department  of 
Homeland  Security  took  notice,  and  Sie¬ 
mens  said  it  was  working  on  a  fix.  But 
Siemens  has  to  do  more  to  ensure  these 
flaws  don’t  materialize  in  the  first  place. 

Pi  Vendor  briefings.  I  always  get 
good  stories  from  IT  admins, 
CSOs  and  the  like.  They  tell  me  which 
issues  are  causing  them  the  most  pain, 
and  I  go  from  there.  But  in  vendor  brief¬ 
ings,  the  content  is  often  old  and  unin¬ 
teresting.  It’s  time  to  toss  out  the  old 
slideshows  and  start  over.  -B.B. 


October  2012  www.csoonline.com 


4  FLAWS 


Tech 


www.csoonline.com 


OCTOBER  2012 


1  2 


Hackers  Can  Steal  Bank  Info  by  SMS 
and  Lift  Passwords  From  Your  Brain 


LOTS  OF  HIGH-PROFILE  BUGS  TO 
review  this  month.  Let’s  start  with  Apple. 

1.  iPhone.  Hackers  are  having  a  lot  of  fun 
at  Apple's  expense  lately.  Take  the  SMS  flaw 
in  the  iPhone,  for  example.  A  hacker  who  calls 
himself  “pod2g"  reported  that  the  vulner¬ 
ability  could  let  an  attacker  send  a  message 
pretending  to  be  from  a  bank,  credit  card 
company  or  other  trusted  source.  Because 
the  flaw  does  not  involve  code  execution,  an 
attacker  does  not  need  to  get  malware  past 
Apple,  which  approves  all  mobile  apps  before 
they  are  sold  on  the  App  Store,  the  only  legiti¬ 
mate  site  for  downloading  software  for  Apple 
mobile  devices.  Apple  took  a  lot  of  heat  for 
this  one,  mainly  because  its  solution  was  to 
have  customers  use  its  instant  messaging  ser¬ 
vice,  iMessage,  which  only  works  on  iOS,  the 
operating  system  for  Apple  mobile  devices. 

2.  Java.  Attackers  were  all  over  Java  with 


their  exploit  tools  before  Oracle  had  a  chance 
to  patch  critical  flaws  in  Java  7,  the  latest  ver¬ 
sion  of  the  software.  “Due  to  the  severity  of 
these  vulnerabilities,  the  public  disclosure  of 
technical  details  and  the  reported  exploita¬ 
tion  of  CVE-2021-4681  in  the  wild,  Oracle 
strongly  recommends  that  customers  apply 
the  updates  provided  by  this  security  alert  as 
soon  as  possible,”  the  company  said  when  the 
fix  was  issued  in  early  September. 

3.  Dropbox.  The  Dropbox  file-sharing 
service  suffered  a  setback  in  its  efforts  to 
move  into  the  enterprise  after  being  hit  by  a 
spam  attack  that  started  with  the  breach  of 
an  employee’s  account.  Dropbox  confirmed 
that  a  stolen  employee  password  led  to  the 
theft  of  a  “project  document”  that  contained 
user  email  addresses.  With  addresses  in  hand, 
the  hacker  then  proceeded  to  spam  European 
users  of  the  cloud-storage  service  with  ads  for 


gambling  websites.  Dropbox  has  since  imple¬ 
mented  two-factor  authentication  to  bolster 
security. 

4.  Your  brain  (seriously).  Using  off-the- 
shelf  gaming  technology  that  tracks  brain 
activity,  a  team  of  scientists  has  shown  that 
it’s  possible  to  steal  passwords  and  other 
personal  information  from  someone’s  mind. 
Researchers  from  the  University  of  Oxford, 
University  of  Geneva  and  the  University  of 
California  at  Berkeley  demonstrated  the  pos¬ 
sibility  of  brain  hacking  using  software  built 
to  work  with  Emotiv’s  $299  EPOC  neuro¬ 
headset.  Developers  build  software  today  that 
responds  to  signals  emitted  over  Bluetooth 
from  EPOC  and  other  brain-computer  inter¬ 
faces,  such  as  MindWave  from  NeuroSky.  Of 
course,  if  software  developers  can  build  apps 
for  such  devices,  so  can  criminals. 

-Antone  Gonsalves 


CSO  Staff 


CSO’s  e-Mai  I  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

|~7|  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

|VJ  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

[7|  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

[7|  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

[7|  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

[7|  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

|7j  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

[7|  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


CSO 

BUSINESS  RISK  LEADERSHIP 


Tech 


Researchers  Reveal  a  Java  Vulnerability,  Which 
Prompts  a  Quick  Patch  but  Enables  Exploits 


ORACLE  RELEASED  AN  EMERGENCY  PATCH  IN  LATE  Au¬ 
gust  to  fix  previously  unknown  Java  vulnerabilities  that  cyber¬ 
criminals  had  targeted  with  popular  exploit  kits  within  hours  of  the 
bugs’  existence  becoming  public. 

The  patch  for  the  critical  f  laws-which  affected  only  Java  7,  the 
latest  version  of  the  software  platform-also  included  fixes  for  two 
other  vulnerabilities  in  Java  6.  But  the  Java  7  flaws  were  the  most 
critical. 

“Due  to  the  severity  of  these  vulnerabilities,  the  public  disclosure 
of  technical  details  and  the  reported  exploitation  of  CVE-2021- 
4681  in  the  wild,  Oracle  strongly  recommends  that  customers  apply 
the  updates  provided  by  this  security  alert  as  soon  as  possible,”  the 
company  said  in  a  statement. 

The  vulnerabilities  affected  all  major  Web  browsers  running  Java 
7,  including  Google  Chrome,  Microsoft  Internet  Explorer,  Apple  Sa¬ 
fari  and  Mozilla  Firefox.  A  cybercriminal  could  exploit  the  bugs  by 
tricking  a  victim  into  clicking  a  malicious  link  on  a  hijacked  website 
or  a  site  run  by  the  attacker. 

Some  security  vendors  knew  about  the  vulnerabilities  for  weeks, 
but  chose  not  to  make  them  public  because  there  had  been  few  at¬ 
tacks.  Until  the  vulnerabilities  became  widely  known,  the  attacks 
Sophos  saw  were  targeted  at  specific  industries  and  affected  only 
hundreds  of  people,  says  Chester  Wisniewski,  senior  security  ad¬ 
viser  for  the  vendor. 

Once  the  flaws  became  public,  the  number  of  potential  victims 
grew  to  hundreds  of  millions,  considering  Secunia’s  estimate  that  a 
billion  computers  run  Java  7.  And  after  researchers  announced  the 
existence  of  the  vulnerabilities,  cybercriminals  very  quickly  began 


exploiting  the  flaws,  which  has  raised  questions  about  whether  the 
disclosure  put  more  users  at  risk  than  necessary. 

The  public  disclosure  of  the  flaws  started  when  FireEye  reported 
in  a  blog  post  that  cybercriminals  were  exploiting  an  unpatched 
Java  vulnerability.  While  the  vendor  did  not  provide  complete  de¬ 
tails  for  the  flaw,  there  was  enough  information  for  Joshua  Drake, 
a  security  researcher  from  Accuvant,  to  build  a  proof-of-concept  of 
an  exploit  with  the  help  of  Rapid! 

Six  hours  after  that  proof-of-concept  was  posted  on  the  Web, 
cybercriminals  had  updated  exploit  kits,  including  the  popular 
Blackhole,  to  infect  vulnerable  computers  with  malware. 

Tod  Beardsley,  a  bug-testing  engineering  manager  for  Rapid! 
says  the  company  was  justified  in  going  public  with  the  flaws  be¬ 
cause  cybercriminals  were  already  exploiting  them. 

“I  certainly  don’t  think  that  we  would  have  seen  a  patch  from 
Oracle  on  Thursday  if  we  had  kept  it  under  wraps,”  Beardsley  said. 
“It  was  already  exploited  out  there,  so  I  don’t  think  we  ran  afoul  of 
any  disclosure  stuff.” 

In  general,  security  researchers  do  not  reveal  unexploited  vul¬ 
nerabilities  until  after  notifying  the  software  vendor  and  giving  it 
time  to  fix  them.  Wisniewski  was  not  comfortable  with  Rapid7’s 
handling  of  the  disclosure,  saying,  “I’m  really  torn."  Because  the 
hacker-devised  exploits  are  so  widespread  now,  many  more  people 
will  be  vulnerable.  Rapid7’s  own  estimates  are  that  roughly  a  third 
of  Java  users  fail  to  remain  up-to-date  on  patches. 

“The  people  who  published  all  the  information  drew  a  road  map 
on  how  to  exploit  people,”  Wisniewski  says.  “That  negative  out¬ 
weighs  any  benefit  of  us  getting  a  patch  out  of  Oracle  a  couple  of 
months  early.” 

Oracle  is  partly  to  blame  for  the  disclosure  because  it  refuses  to 
work  closely  with  researchers  and  won’t  discuss  when  or  if  it  will 
release  patches,  Wisniewski  said.  “Oracle  does  not  have  the  best 
track  record  of  releasing  updates  in  a  timely  manner,  and  that 
makes  security  researchers  more  apt  to  publish  these  things.”  Or¬ 
acle,  which  did  not  respond  to  a  request  for  comment,  had  known 
about  the  Java  7  flaws  since  April,  according  to  Adam  Gowdiak,  the 
founder  and  chief  executive  of  Polish  security  firm  Security  Explora¬ 
tions.  Gowdiak  says  he  notified  Oracle  of  19  Java  7  issues,  including 
the  two  critical  flaws. 

Attackers  are  increasingly  targeting  Java  vulnerabilities  because 
the  cross-platform  runtime  environment  frequently  shows  up  on 
Linux,  Windows  and  Mac  computers.  Experts  say  the  risk  to  users 
could  grow  if  Oracle  doesn’t  do  more  to  secure  the  product. 

-Antone  Gonsalves 


14  www.csoonline.com  October  2012 


Thinkstock 


What  Will  Hackers  Target 
Next?  It  Could  Be  Your  Brain 


USING  OFF-THE-SHELF  GAMING  TECH- 
nology  that  tracks  brain  activity,  a  team  of 
scientists  has  shown  that  it’s  possible  to  steal 
passwords  and  other  personal  information. 

Researchers  from  the  University  of  Oxford, 
University  of  Geneva  and  the  University  of 
California  at  Berkeley  demonstrated  that  it's 
possible  to  build  brain  hacking  using  soft¬ 
ware  that  can  work  with  Emotiv’s  $299  EPOC 
neuro-headset. 

Developers  build  software  today  that 
responds  to  signals  emitted  over  Bluetooth 
from  EPOC  and  other  brain-computer  inter¬ 
faces  (BCI),  such  as  MindWave  from  NeuroSky. 
Of  course,  if  software  developers  can  build 
apps  for  these  devices,  so  can  criminals. 

“The  security  risks  involved  in  using  con¬ 


sumer-grade  BCI  devices  have  never  been 
studied,  and  the  impact  of  malicious  software 
with  access  to  the  device  is  unexplored,”  the 
researchers  said  in  a  paper  presented  in  July 
at  the  USENIX  computer  conference. 

The  researchers  found  that  the  software 
they  built  to  read  signals  from  EPOC  signifi¬ 
cantly  improved  the  chances  of  guessing  par¬ 
ticipant’s  PINs,  the  general  area  in  which  they 
lived,  who  they  knew,  their  month  of  birth  and 
the  name  of  their  bank.  The  Emotiv  device, 
used  in  gaming  and  as  a  hands-free  keyboard, 
uses  sensors  to  record  electrical  activity  along 
the  scalp.  Voltage  in  the  brain  spikes  when 
people  see  something  they  recognize,  so 
tracking  the  fluctuation  makes  it  possible  to 
gather  information  about  people  by  showing 


them  collections  of  images. 

The  researchers  conducted  their  experi¬ 
ments  on  28  computer  science  students.  In 
the  PIN  experiment,  the  subjects  chose  a  four¬ 
digit  number  and  then  watched  as  the  num¬ 
bers  zero  to  nine  were  flashed  on  a  computer 
screen  10  times  for  each  digit  in  the  PIN.  While 
subjects  watched  the  images,  the  researchers 
tracked  brain  activity  through  signals  from  the 
EPOC  neuro-headset  to  see  when  participants 
recognized  numbers  in  their  PINs. 

The  same  form  of  repetitive  showing  of 
images  was  used  in  the  other  experiments,  for 
example,  researchers  showed  participants  a 
series  of  bank  cards  to  determine  which  bank 
they  used,  and  flashed  images  of  people  to 
find  the  one  the  subjects  knew.  The  research¬ 
ers’  chance  of  guessing  the  information  cor¬ 
rectly  increased  to  between  20  percent  and 
30  percent,  up  from  10  percent  without  the 
brain  tracking.  The  exception  was  in  figuring 
out  people’s  month  of  birth;  for  that,  the  rate 
of  guessing  correctly  was  much  as  60  percent. 

Nevertheless,  the  overall  reliability  was  not 
high  enough  for  an  attack  targeted  at  a  few 
individuals.  “The  attack  works,  but  not  in  a 
reliable  way,”  says  Mario  Frank,  a  UC  Berkeley 
researcher  involved  with  the  study.  “With  the 
equipment  that  we  used,  it’s  not  possible  to 
be  sure  that  you  found  the  true  answer.” 

A  criminal  would  have  to  build  a  program 
that  could  be  distributed  to  as  many  people 
as  possible,  the  same  tactic  that's  employed 
in  distributing  malware  via  email.  Attackers 
know  that  only  a  small  fraction  of  recipients 
will  open  the  attachments,  but  that  small 
fraction  is  enough  to  create  botnets  of  hun¬ 
dreds  of  thousands  of  computers.  With  BCI 
devices,  the  user  base  today  is  too  small  to 
launch  large-scale  attacks.  Also,  users  buy 
software  directly  from  manufacturers,  so  it 
would  be  difficult  for  criminals  to  distribute 
malware. 

However,  a  security  risk  could  arise  in  the 
future  if  brain-tracking  devices  become  a 
standard  way  to  interact  with  computers  and 
retailers  set  up  online  stores  to  sell  hundreds 
of  thousands  of  applications,  much  the  way 
Android  smartphone  apps  are  sold  today. 

-An tone  Gonsalves 


October  2012  www.csoonline.com  15 


Are  You  Really  Ready  for  Disaster? 

Three  exercises  for  testing  your  business  continuity  plans  by  david  geer 


SCENARIO  ONE 

Chemical  Explosion 

Segment  One:  Rail  cars  carrying  a  highly 
flammable  chemical  compound  explode  near 
the  data  center,  taking  out  a  section  of  track 
and  a  stretch  of  two-lane  road  at  an  adjacent 
crossing,  spewing  toxins  into  the  air.  Data 
center  employees  hear  the  blast  and  begin 
frantically  contacting  family,  colleagues  and 
emergency  services.  Emergency  services  de¬ 


ploy  and  call  for  a  general  evacuation,  includ¬ 
ing  the  data  center  and  its  attached  offices. 

Segment  Two:  Due  to  the  toxins,  the  fire 
department  insists  that  the  data  center  evac¬ 
uate  immediately.  Data  center  technicians 
can’t  fire  up  the  diesel  engines  because  they 
may  spark,  igniting  the  toxins,  so  the  data 
center  must  go  completely  dark. 

Fearful  employees,  including  some  of  the 
people  needed  to  switch  the  data  center  over 
to  the  disaster  recovery  (DR)  site,  leave  to  pick 


up  children  and  elderly  family  members. 

All  this  leaves  the  data  center  without  the 
time  or  expertise  to  declare  a  disaster,  cut 
over  to  the  remote  DR  site,  and  power  down 
and  close  the  facility  properly.  The  data  center 
loses  untold  quantities  of  data  in  the  process. 

Segment  Three:  Management  at¬ 
tempts  to  notify  team  leaders  to  interact 
with  each  other  to  escalate  communications 
and  response  as  everyone  is  leaving.  But  in 
the  panic,  and  with  smartphones  tied  up 


16  www.csoonline.com  October  2012 


CSO  Forum  on  Linked  03. 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum’’ 

Facilitated  by  CSOOniine.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 

I 
I 

*1  u  « r  i~»i  ir  i 

r — jr  - 

. 


&  Risk 


contacting  loved  ones,  the  chain  of  communi¬ 
cations  breaks  down. 

The  fire  department  informs  management 
that  their  designated  meeting  place  is  inside 
the  danger  zone  and  they  must  pick  a  new 
meeting  place  and  inform  all  employees  to 
go  directly  there.  Management  does  not  have 
a  second  location  in  place  further  out  and 
chooses  a  parking  lot  near  a  busy  highway 
intersection,  during  rush  hour  and  the  evacua¬ 
tion  of  the  larger  area. 

Segment  Four:  Not  everyone  receives  up¬ 
dates  about  the  new  meeting  place,  so  while 
some  go  to  a  safe  meeting  spot,  others  go 
to  the  original  meeting  area,  and  still  others 
don't  show  up  at  all.  The  wind  picks  up,  mov¬ 
ing  the  toxic  air  toward  the  first  meeting  area. 
Reporters,  who  are  asking  lots  of  questions, 
meet  the  people  who  make  it  to  the  furthest 
meeting  place.  These  employees  are  not  the 
marketing-savvy  media  relations  executives, 
so  they  are  not  able  to  give  appropriate  status 
updates  and  instead  say  things  to  the  media 
that  are  inappropriate,  inaccurate  and  mis¬ 
leading,  causing  further  confusion  and  panic. 

-With  suggestions  from  Bob  DiLossi, 
director  of  crisis  management  atSungard 
Availability  Services 

SCENARIO  TWO 

Primary  Supplier 
Cannot  Deliver 

Segment  One:  The  enterprise  receives  a  call 
from  a  primary  vendor,  a  supplier  of  raw  ma¬ 
terials  for  the  company.  The  vendor-supplier 
has  experienced  significant  damage  to  its 
manufacturing  plant  from  a  hurricane,  and 
there  are  no  forecasts  as  to  when  the  plant 
will  be  back  up  and  running.  At  this  time,  the 
vendor  can  only  speculate  that  it  will  be  able 
to  ship  30  percent  of  the  usual  order.  This 
material  is  a  critical  component  of  the  enter¬ 
prise’s  finished  product  and  is  usually  most 
available  from  this  single-source  vendor,  with 
few  if  any  other  vendor-suppliers. 

Segment  Two:  Upon  further  inspection  by 
the  vendor  and  the  regulatory  agencies  in  the 
vendor’s  industry,  the  vendor  has  shut  down 
the  plant  with  its  damaged  facilities  and 


equipment  until  it  makes  all  necessary  repairs. 
The  vendor  will  not  make  any  product  deliver¬ 
ies  for  at  least  two  or  three  months.  Without 
critical  supplies,  the  enterprise  cannot  provide 
finished  products  or  services  to  its  customer 
base.  There  is  a  small  reserve  of  materials  on¬ 
site  that  will  last  about  35  days. 

Segment  Three:  The  enterprise  will  need 
to  qualify  an  alternative  material  supplier 
that  meets  requirements  laid  out  by  client 
agreements  and  industry  regulations.  If  the 
enterprise  does  manage  to  identify  a  supplier, 
it  may  be  located  overseas,  creating  new  lo¬ 
gistics  challenges. 

The  enterprise  starts  looking  closely  at 
two  potential  qualifying  vendors,  one  in  China 
and  one  in  a  small,  volatile  developing  coun¬ 
try  in  the  east. 

Segment  Four:  When  vetting  the  poten¬ 
tial  vendor  in  China,  the  enterprise  uncovers  a 
trail  of  broken  contracts  in  which  the  foreign 
vendor  supplied  diluted  raw  materials  that 
were  deemed  unsatisfactory.  The  enterprise 
turns  to  the  one  remaining  producer  of  the 
raw  materials. 

As  the  enterprise  is  about  to  reach  full 
approval  for  the  new  supplier,  an  internal 
conflict  breaks  out  in  the  small  eastern  na¬ 
tion,  a  coup  ensues  and  powers  opposing  the 
new  leadership  call  for  boycotts  of  the  small 
country’s  exports,  including  raw  materials, 
putting  pressure  on  the  enterprise’s  interna¬ 
tional  relations. 

-With  suggestions  from  Mark  Madar, 
director  of  risk  management  and  quality 

assurance  a  t  CBIZ  Risk  and  Advisory  Services 

SCENARIO  THREE 

Angry  IT  guy 

Segment  One:  A  systems  engineer  or  ad¬ 
ministrator  who  foresees  imminent  layoffs  is 
working  on  internal  systems.  The  enterprise 
has  upgraded  his  access  rights  and  turned  off 
monitoring  systems  so  he  can  complete  his 
work.  Due  to  fears  of  termination,  he  installs 
back  doors  everywhere.  Because  the  enter¬ 
prise  elevated  his  administrative  privileges 
and  disabled  the  monitoring  systems,  and  be¬ 
cause  he  uses  stealthy  back  doors  that  are  set 


to  activate  after  the  company  fires  him,  IT  has 
no  visibility  into  what  he  has  done  or  what 
will  happen  in  the  coming  months. 

Segment  Two:  The  enterprise  fires  the 
systems  guy,  along  with  many  of  his  col¬ 
leagues  and  friends,  in  a  massive  layoff.  Once 
the  back  doors  open,  he  siphons  off  stores  of 
intellectual  property  and  customers’  person¬ 
ally  identifiable  information.  He  next  launches 
a  malicious,  stealthy  attack  that  renders  mul¬ 
tiple  data  backups  useless.  The  data  center  is 
unaware  of  this  until  some  time  later,  when  it 
tries  to  restore  data  in  a  crisis. 

Segment  Three:  During  the  crisis,  the 
data  center  discovers  that  the  data  is  corrupt¬ 
ed  and  so  attempts  to  restore  from  backups. 
Finding  the  disk-based  backup  data  unrecov¬ 
erable,  IT  must  rely  on  tape  backups,  losing 
the  most  recent  week’s  data,  which  was  not 
yet  archived. 

In  the  meantime,  the  disgruntled  ex¬ 
employee  finds  a  buyer  for  the  stolen  data  on 
the  black  market  and  sells  it  for  less  than  its 
true  worth. 

Segment  Four:  The  black  market  data 
buyer  is  part  of  a  hacker  group  that  holds 
stolen  data  for  ransom.  On  a  highly  visible 
website,  the  hackers  publish  just  enough  of 
the  data  to  prove  they  have  it,  and  demand  a 
larger  sum  than  they  paid  for  it  to  return  the 
data  without  publishing  or  re-selling  it  further. 
While  the  enterprise  mulls  its  options,  regula¬ 
tory  bodies  get  wind  of  the  data-protection 
fiasco.  The  media  reports  on  the  shocking  de¬ 
bacle  just  as  affected  parties  and  customers 
launch  a  massive  lawsuit.  As  e-discovery  be¬ 
gins,  the  enterprise  realizes  it  will  not  be  able 
to  produce  at  least  a  week’s  worth  of  data. 

-Based  on  suggestions  from  Brian  Barnier, 
principal  analyst  at  ValueBridge  Advisors,  and 
Jeremy  Suratt,  senior  solutions  marketing 
manager  at  Iron  Mountain's  Data  Backup  and 

Recovery  practice 


18  www.csoonline.com  OCTOBER  2012 


iStockphoto 


Hemera  Technologies 


Video  Analysis  Keeps  Looking  for  Its  Place 


October  2012  www.csoonline.com  19 


THE  TECHNIQUE  OF  USING  ALGORITHMS  TO  ANALYZE 
footage  from  video  surveillance  cameras  in  real  time  began  coming  into 
its  own  five  years  ago.  It’s  an  intriguing  adaptation  of  standard  surveil¬ 
lance  security.  It’s  still  an  emerging  market,  as  Jon  Cropley,  principal 
analyst  at  IMS  Research,  told  CSO. 

CSO:  What  trends  do  we  see  in  video  analysis  versus  five 
years  ago,  when  the  edge-based  market  was  emerging  and  there 
was  a  push  to  embed  algorithms  into  the  processor? 

Cropley:  There  are  still  a  lot  of  installations  more  suited  to  server- 
based  solutions,  though  we  are  seeing  more  edge-based  systems. 

The  number  of  algorithms  that  can  be  embedded  has  increased,  and 
they’ve  been  refined  to  be  less  processor-intensive.  Also,  processor 
power  has  improved.  The  combination  has  meant  that  a  number  of  al¬ 
gorithms  that  couldn’t  be  embedded  before  are  now  a  possibility.  The 
embedded  market  has  grown  faster  than  the  PC-based  market. 

What  are  the  biggest  markets  for  video  analytics?  The  biggest 
application  is  still  intrusion  detection.  Systems  can  be  simple,  or  they 
can  be  like  the  one  at  a  palace  in  the  Middle  East  located  very  close  to 
a  coastline.  Video  content  analysis  is  being  applied  there  to  scan  the 
coastline  for  ships  that  shouldn’t  be  there.  You  need  to  deal  with  the 
environment,  waves  and  tidal  patterns,  seagulls. 

Are  there  new  uses  that  have  emerged  over  the  last  few 
years?  An  application  that  is  talked  about  a 
lot  is  abandoned-object  detection.  Those  are 
becoming  more  realistic.  You’re  seeing  video 
content  analysis  (VCA)  used  at  airports — 
when  you  leave  the  plane  you’re  supposed  to 
follow  a  certain  path  and  then  leave  the  air¬ 
port.  You  can  detect  if  the  person  is  going  the 
wrong  way.  Using  VCA  in  a  crowd  is  quite  in¬ 
teresting  and  there's  a  lot  of  work  for  making 
it  more  suitable  for  crowds.  Prisons  use  it  for 
the  opposite,  almost,  of  intrusion  detection- 
they’re  looking  for  people  trying  to  break  out. 

The  assumption  is  that  it’s  for  the  pro¬ 
fessional  market,  but  increasingly  the  DIY 
consumer-based  video  solution  is  being  of¬ 
fered.  It’s  mostly  for  intrusion  detection  or  to 
see  who’s  at  the  door.  That’s  an  interesting 
new  departure. 

In  China  there  is  a  high-speed  rail  the 
government  has  introduced  there.  The  train 
moves  so  fast  that  the  stopping  distance 
can  be  over  five  kilometers.  That  makes  it 
impossible  for  driver  to  see  an  obstacle  and 
stop  by  himself  to  avoid  the  obstacle.  So 


they’ve  put  cameras  at  regular  intervals  along  the  train  line.  Those 
cameras  feature  VCA.  If  they  assess  an  object  that  is  going  to  damage 
the  train,  it  is  automatically  decelerated. 

What  about  false  alarms?  If  you  get  a  lot  of  false  alarms  on  that 
kind  of  system,  the  high-speed  train  can  very  quickly  become  a  low- 
speed  train.  They  only  look  for  things  that  will  damage  or  derail  the 
train.  I  talked  to  a  company  that  installed  VCA  at  an  airport  and  they 
were  really  struggling  with  false  alarms  due  to  birds.  They  needed  to 
combine  VCA  with  a  sensor  on  the  fence  looking  for  movement.  When 
an  alarm  was  triggered  by  one,  it  needed  to  be  verified  by  the  other. 

The  VCA  was  used  for  verification  of  the  alarm  from  the  other  sensor. 

Is  this  functionality  affordable?  Prices  are  going  down  by  around 
five  percent  a  year.  I  think  there’s  a  growing  acceptance,  but  also  still 
reluctance  to  buy,  in  part  because  technology  is  changing  so  fast,  but 
also,  when  VCA  was  introduced,  it  was  oversold  a  little  bit  in  one  or  two 
cases.  Because  of  that,  it’s  got  this  kind  of  reputation  that  the  technol¬ 
ogy  doesn't  work  as  well  as  it  should.  There’s  still  a  little  bit  of  that  in 
the  market. 

One  thing  VCA  has  struggled  with  is  that  most  installations  aren’t 
monitored  live.  You  have  a  building,  a  warehouse,  and  you’re  not  look¬ 
ing  out  for  live  intrusions.  In  those  cases,  VCA  doesn’t  offer  a  benefit  to 
the  end  user.  -Michael  Fitzgerald 


ijZi 


LEADERSHIP  STRATEGY  MANAGEMENT  SKILLS  CAREER 


Point/Counterpoint: 
Does  Security  Awareness 
Training  Really  Work? 


NO 

Dave  Aitel  argues  awareness 
training  is  a  waste  of  money 

IF  THERE’S  ONE  MYTH  IN  THE  INFOR- 
mation  security  field  that  just  won't  die,  it’s 
that  an  organization's  security  posture  can  be 
substantially  improved  by  regularly  training 
employees  in  how  not  to  infect  the  company. 

You  can  see  the  reasoning  behind  it,  of 
course.  RSA  got  hacked  through  a  Word  docu¬ 
ment  with  an  embedded  Flash  vulnerability.  A 
few  days  later,  the  entire  company's  SecurelD 
franchise  was  at  risk  of  being  irrelevant  when 
the  attackers  nabbed  the  private  keys  that 
ruled  the  system. 

But  do  phishing  attacks  like  the  on  that  hit 
RSA  prove  that  employee  training  is  a  must,  or 
just  the  opposite? 

Fundamentally,  what  IT  professionals  are 
saying  when  they  ask  for  a  training  program 
for  their  users  is,  “It’s  not  our  fault."  But  this  is 
false-users  have  no  control  over  the  network, 
and  they  can’t  recognize  or  protect  against 
modern  information  security  threats  any  more 
than  a  teller  can  protect  a  bank. 

I’ll  admit,  it’s  hard  to  find  broad  statistical 
evidence  that  supports  this  point  of  view- 
not  surprisingly,  security  firms  don’t  typically 
share  data  on  how  successful  or  unsuccessful 


“Users  can’t  protect 
a  company  from 
hackers  any  more 
than  a  teller  can 
protect  a  bank.” 

-Dave  Aitel 


their  training  is.  The  clients  we  typi¬ 
cally  consult  with  are  large  enterprises 
in  financial  services  or  manufacturing. 
All  of  them  have  sophisticated  em¬ 
ployee  awareness  and  security  training 
programs  in  place-and  yet  even  with 
these  programs,  they  still  have  an  av¬ 
erage  click-through  rate  on  client-side 
attacks  of  at  least  5  to  10  percent. 

We  also  frequently  conduct  social 
engineering  attacks  against  help  desks 
and  other  corporate  phone  banks  for 
customers.  While  all  the  personnel 
in  these  security-sensitive  roles  have 
extensive  training  and  are  warned 
against  social  engineering  attacks,  the 
only  thing  that  stops  our  testers  are 
technical  measures. 

Here’s  what  organizations  should 
do  instead  of  wasting  time  on  em¬ 
ployee  training: 

Audit  Your  Periphery:  Websites, 
back-end  databases,  servers  and 
networks  should  be  thoroughly  audited  on  a 
regular  basis  for  vulnerabilities-both  by  inter¬ 
nal  security  personnel  and  external  penetra¬ 
tion  testers. 

Perimeter  Defense  and  Monitoring: 

Robust  perimeter  defenses  should  be  in  place 
and  regularly  tested. 

Isolate  and  Protect  Critical  Data:  What 
valuable  information  does  your  business  store 


20  www.csoonline.com  October  2012 


in  online  databases?  Classify  business  data. 

Segment  the  Network:  Segment  your 
networks  and  information  so  that  a  successful 
cyberattack  cannot  spread  laterally  across  the 
entire  network. 

Access  Creep:  What  level  of  access  does 
each  employee  have  to  the  network  and  to 
critical  data?  How  well  is  this  monitored? 
Limiting  unnecessary  access  is  a  key  element 
of  an  effective  security  posture. 

Incident  Response:  Examine  important 
boxes  for  rootkits.  You’ll  be  amazed  at  what 
you  find.  And  finding  is  the  first  step  to  actu¬ 
ally  building  a  defense  against  advanced  per¬ 
sistent  threats. 

Strong  Security  Leadership:  For  a  com¬ 
pany  to  have  a  CSO  or  CISO  isn’t  enough.  The 
chief  security  executive  should  have  mean¬ 
ingful  authority  too.  He  or  she  should  have 
kill-switch  power  over  projects  that  fail  to 
properly  account  for  security,  and  real  say  over 
security’s  percentage  of  the  budget. 

-Dave  Aitel  is  CEO  of  Immunity, 
which  specializes  in  offensive  security 


Ira  Winkler  argues  that  security 
awareness  training  offers  a 
good  return  on  investment 

I  WAS  ONCE  CALLED  INTO  A  MULTI- 
national  oil  company  that  was  seeking  advice 
because  one  employee  was  concerned  that  a 
coworker  was  acting  odd.  It  turned  out  that 
the  coworker  had  given  information  to  a  Chi¬ 
nese  intelligence  operative. 

At  a  second  company,  an  employee 
stopped  a  person  from  tailgating  them  into  a 
facility.  It  turned  out  the  tailgater  was  respon¬ 
sible  for  stealing  more  than  a  dozen  laptops 
from  company  facilities. 

At  a  third  company,  when  staffers  received 
a  call  asking  for  details  about  the  firewall, 
they  replied  that  they  needed  the  caller's  con¬ 
tact  information  so  they  could  call  back  later, 
as  their  awareness  training  had  taught  them 
to  do.  It  was  a  real  attack,  and  they  responded 
appropriately. 


I  can  give  dozens  of  examples  of 
security-awareness  success  stories, 
but  everyone  reading  this  article  can 
likely  share  countless  personal  stories 
of  how  employees’  behavior  saved  the 
company  from  being  a  victim  of  some 
attack. 

Every  security  measure  has  and 
will  fail.  If  you  don’t  realize  that,  you 
really  suck  as  a  security  professional. 

The  definition  of  "security”  is  “free¬ 
dom  from  risk.”  You  will  never  be  free 
from  risk.  What  “security”  profes¬ 
sionals  are  actually  performing  is  risk 
management. 

Security  professionals  implement 
security  programs  that  cost-effectively 
mitigate  risk,  not  completely  prevent 
it.  You  will  have  losses,  but  must  con¬ 
trol  the  losses. 

The  issue  is  whether  the  losses 
prevented  by  awareness  training 
are  worth  more  than  the  cost  of  the 
training  program.  So  if  you  reduce  phishing 
attacks  by  50  percent,  you  are  mitigating  50 
percent  of  your  potential  losses.  Aitel  says 
that  a  sophisticated  security  awareness  pro¬ 
gram  leads  to  a  5  to  10  percent  click-through 
rate  on  client-side  attacks.  Which  means  the 
program  helps  prevent  90  percent  or  more  of 
these  attacks,  and  a  90  percent  reduction  of 
loss  will  always  be  a  good  return  on  security 
investment. 

CiSO  stands  for  chief  information  security 
officer,  not  chief  network  security  officer.  Ai- 
tel’s  recommended  countermeasures,  in  lieu 
of  awareness  training,  fail  to  recognize  that 
information  exits  beyond  a  computer  net¬ 
work.  There  is  no  technology  that  will  prevent 
the  human  mishandling  of  paper  information 
and  computer  media.  Media  can  be  encrypted, 
but  the  cost  of  trying  to  find  lost  media,  even 
if  it  is  eventually  found,  can  be  enormous,  the 
search  can  drain  resources,  and  the  incident 
can  result  in  public  embarrassment.  The  re¬ 
turn  on  investment  for  a  security  awareness 
program  of  this  form  can  be  huge  if  it  prevents 
even  a  single  incident. 

But  the  biggest  issue  is  that  security 
awareness  efforts  are  frequently  required  by 


Sophisticated  security 
awareness  training 
helps  prevent 
90  percent  of 
client-side  attacks.” 
-Ira  Winkler 

compliance  standards,  such  as  PCI  and  HIPAA. 
Telling  people  not  to  do  something  just  be¬ 
cause  the  pontificator  believes  it  is  a  bad  idea 
is  just  not  an  option. 

In  summary:  No  security  measure  is  perfect, 
awareness  mitigates  nontechnical  issues  that 
technology  can’t  fix,  CISOs  and  other  security 
managers  are  responsible  for  protecting  infor¬ 
mation  in  all  forms,  and  in  many  cases  aware¬ 
ness  programs  are  not  optional. 

No  security  measure  should  be  measured  by 
the  standard  of  perfection:  the  real  standard 
is  return  on  investment.  And  by  that  standard, 
awareness  training  is  one  of  the  most  reliable 
security  measures  companies  can  take. 

-Ira  Winkler  is  a  security  consultant  and 
author 


October  2012  www.csoonline.com  21 


Lead 


Developing  Metrics  That  Measure  Human  Awareness 


IT’S  BEEN  SAID  THAT  SECURITY  IS 
hard  to  measure.  It’s  difficult  to  measure  re¬ 
sults  when  the  outcome  you  want  is  a  lack  of 
problems  or  incidents.  And  as  we  see  in  the 
point/counterpoint  columns  by  Dave  Aitel  and 
Ira  Winkler,  the  case  for  security  awareness  is 
complex,  in  part  because  it’s  so  challenging  to 
measure  its  success.  But  the  field  of  security 
metrics  has  evolved  considerably  in  recent 
years,  giving  security  managers  more  resourc¬ 
es  to  make  the  case  for  investing  in  security 
programs  and  technologies. 

Now  the  SANS  Institute,  through  its  Secur¬ 
ing  the  Human  Program,  is  offering  a  set  of 
free  tools  designed  to  let  security  leaders  the 
track  and  measure  the  impact  of  their  secu¬ 
rity  awareness  programs.  According  to  Lance 
Spitzner,  the  program’s  training  director,  the 
tools  can  be  used  to  improve  training,  demon¬ 
strate  return  on  investment, 
or  compare  an  organization’s 
human  risk  to  that  of  other 
organizations  in  an  industry. 

All  resources  are  free,  devel¬ 
oped  by  the  community,  for 
the  community,  Spitzner  says. 

The  tools  include: 

Metrics  Matrix.  A  spread¬ 
sheet  that  identifies  and 
documents  options  for  mea¬ 
suring  a  security  awareness 
program.  It  includes  metrics 
for  both  measuring  impact 
(change  in  behavior)  and  for 
tracking  compliance. 

Measuring  Human  Risk 
Survey.  A  25-question  survey 
wherein  each  question  and  its 
answers  are  associated  with  a 
different  level  of  risk.  Answers 
can  be  totaled  to  put  a  quan¬ 
titative  value  on  your  human  risk. 

Phishing  Assessments  Planning 
Package.  Phishing  assessments  are  a  simple 
way  to  measure  the  impact  of  an  awareness 
program,  and  they  can  be  a  powerful  tool  for 


reinforcing  key  training  concepts.  This  pack¬ 
age  helps  you  plan,  build  and  implement  a 
phishing-assessment  program,  and  includes 
several  templates. 

CSO  spoke  with  Spitzner  about  these  tools. 

CSO:  What  was  the  mission  behind 
creating  these  metric-gathering  tools? 

Spitzner:  The  tools  were  developed  in 
response  to  the  needs  of  the  security  aware¬ 
ness  community.  I  run  a  private  mail  list  of 
about  200  professionals  who  are  all  involved 
in  or  lead  the  security  awareness  program  for 
their  organization.  People  post  what  they  are 
looking  for,  and  then  we  as  a  group  develop 
resources  that  help  solve  that  problem. 

One  of  the  solutions  we  devloped  was  the 
Security  Awareness  Maturity  Model  that  helps 
identify  how  mature  your  awareness  program 
is  and  then  how  you  want  to  build  on  that.  As 
a  group,  we  then  developed 
the  Security  Awareness  Road¬ 
map  that  explains  in  detail 
how  to  reach  each  maturity 
level.  There  was  a  repeated 
request  and  need  for  metrics. 

What  are  the  challenges 
of  using  security  aware¬ 
ness  metrics? 

Metrics  are  a  tool  used  to 
measure  the  effectiveness 
of  your  security-awareness 
program  and  how  it  can  be 
improved.  Sometimes  orga¬ 
nizations  get  so  caught  up  in 
their  metrics  that  the  metrics 
become  more  important  then 
the  program  itself,  they  forget 
about  what  their  ultimate 
goal  is.  The  best  approach  is 
to  focus  only  on  a  few  very 
good  metrics. 

Unfortunately,  good  metrics  are  hard.  They 
have  to  be  easy  to  measure  (preferably  auto¬ 
mated),  they  have  to  be  measured  consis¬ 
tently  (in  other  words,  even  if  different  people 
measure,  they  get  the  same  result)  and  they 


have  to  be  something  you  can  take  action  on. 
A  classic  example  of  a  bad  metric  is  the  top 
10  most-infected  countries.  What  value  does 
that  metric  have?  What  action  are  you  sup¬ 
posed  to  take  based  on  that? 

This  is  one  of  the  reasons  we  developed 
the  security  awareness  metrics  matrix;  it  has 
a  list  of  over  15  metrics  that  organizations 
can  choose  from,  depending  on  which  has  the 
most  value  to  them. 

What  makes  awareness  metrics  differ¬ 
ent  from  other  types  of  security  metrics? 

You  are  attempting  to  measure  the  human 
element,  specifically  peoples'  behaviors  and 
awareness.  Technology  is  bits  and  bytes, 
which  can  be  easier  to  measure  (number 
of  attacks  detected,  number  of  port  scans 
blocked  by  the  firewall,  etc.). 

The  other  challenge  is  root-cause  analysis. 
Quite  often,  incidents  are  caused  by  humans, 
but  organizations  do  not  realize  it  because 
they  never  do  a  root-cause  analysis.  The  clas¬ 
sic  example  is  infected  systems.  If  your  secu¬ 
rity  team  did  a  root-cause  analysis  of  infected 
systems,  they  would  likely  discover  that  the 
vast  majority  of  infections  are  not  a  technical 
issue  but  a  human  issue.  Unfortunately,  many 
organizations  fail  to  do  any  type  of  root-cause 
analysis,  which  hides  the  fact  that  a  human  is 
most  often  the  issue,  not  technology. 

What  types  of  folks  do  you  envision 
using  the  SANS  tools  and  what  kind  of 
benefit  do  you  hope  it  will  provide? 

Absolutely  any  organization  can  benefit 
from  our  free  resources,  and  not  just  orga¬ 
nizations  but  also  ordinary  people  in  their 
personal  lives.  Think  about  it:  About  70  per¬ 
cent  to  80  percent  of  any  security-awareness 
program  applies  both  to  the  organization  and 
to  employees'  personal  lives.  Programs  cover 
topics  such  as  email,  mobile  devices,  social 
networking  and  passwords.  Our  approach  is 
not  to  just  make  people  change  their  behav¬ 
iors  at  work,  but  also  to  change  those  same 
behaviors  at  home,  where  they  face  those 
same  risks.  -Joan  Goodchild 


A  /.w 

“A  human  is 
most  often 


the  issue,  not 
technology.” 

-LANCE  SPITZNER, 

S.A.N.S.  SECURING  THE 
HUMAN  PROGRAM 


22  www.csoonline.com  OCTOBER  2012 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 
content  and  resources,  including: 


■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


Kristina  Hernandez 


■  Lead 


Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com;  Twitter:  ©msjoanieg 


LEADING  EDGE 


Should  You 
Be  Responsible 
for  BYOD  Policy? 


THE  BRING-YOUR-OWN-DEVICE  (BYOD)  MOVEMENT,  THE  TREND  OF 
allowing  employees  to  use  their  own  devices  to  access  their  employer's  network  and 
get  work  done  while  mobile,  continues  to  grow.  Several  estimates  I’ve  read  put  the 
number  of  organizations  that  allow  BYOD  at  60  percent. 

That  means  nearly  two-thirds  of  businesses  now  allow  workers  to  use  their 
personal  iPhones,  iPads,  Android-based  smartphones,  tablets  and  other  devices 
to  access  organizational  data,  including  email,  applications  and  sensitive 
information. 

But  this  trend  is  rubbing  up  against  security,  and  many  organizations  have  not 
yet  dealt  with  the  larger  questions  about  what  BYOD  means  for  security  and  cor¬ 
porate  privacy.  A  study  published  last  month  finds  that  71  percent  of  businesses 
that  allow  BYOD  have  no  specific  policies  or  procedures  in  place  to  support  BYOD 
deployment  and  ensure  security. 

The  survey,  conducted  by  KnowBe4,  a  security-awareness  training  firm,  and  ITIC, 
a  research  and  consulting  firm,  polled  550  companies  worldwide  in  July  and  Au¬ 
gust.  Only  13  percent  of  respondents  said  their  firms  have 
specific  policies  in  place  to  deal  with  BYOD  deployments, 
while  another  nine  percent  indicated  they  were  in  the  pro¬ 
cess  of  developing  BYOD  procedures. 

What  should  security’s  role  be  in  developing  an  organi¬ 
zation’s  BYOD  policy?  Security  leaders  we’ve  spoken  to  at 
CSO  know  this  trend  isn’t  going  anywhere  and  are  adjust¬ 
ing  their  security  strategy  accordingly. 

For  example,  one  of  CSO’ s  2012  Compass  Award  win¬ 
ners,  Kristin  Lovejoy,  IBM’s  vice  president  of  IT  risk,  posi¬ 
tioned  her  IT  risk  department  to  find  solutions,  not  veto 
plans,  for  BYOD. 

In  his  piece  on  Lovejoy,  CSO  contributor  Constantine  Von 
Hoffman  wrote: 

"Lovejoy,  who  had  previously  been  vice  president  of  security  strategy  at  IBM,  says 
that  instead  of  waiting  until  BYOD  was  planned  out,  she  and  her  team  got  involved 
at  the  start.  In  fact,  her  department  helped  create  the  business  case  for  letting  em¬ 
ployees  do  this.  By  the  end  of  the  first  year,  the  initiative  was  supporting  100,000 
devices.  This  allowed  employees  to  use  social  media  to  further  IBM’s  business  agen¬ 
da,  and  to  adopt  cloud  computing  on  a  wide  scale." 

Lovejoy  knew  that  by  getting  her  department  involved  at  the  outset,  it  made  se¬ 
curity  part  of  enabling  the  technology  and  helped  her  group  avoid  getting  slapped 
with  the  dreaded  label  of  “the  department  of  no.” 

Where  does  your  organization  stand  on  BYOD? 


Kristin  Lovejoy, 
VP  of  IT  risk,  IBM 


SOCIAL  SECURITY 


Okay  everyone.  The  least 
popular  PIN  and  most 
difficult  to  guess  is  8068.  We 
should  all  change  to  that. 

-Tony  Wilson  @byTony  Wilson 

There  are  two  kinds  of 
infosec  vendors  in  the  world: 
Those  that  benefit  by  well- 
informed  consumers,  and 
those  that  don't. 

-Jeremiah  Grossman  @jeremiahg 

I  am  a  bit  surprised  when  I 
see  infosec  pros  (or  so  they 
claim  to  be)  apply  for  jobs 
publicly  in  Linkedln  groups. 
Awareness,  anyone? 

-Kai  Roer  @kairoer 

When  it  comes  to  IT  security, 
we  have  only  two  modes- 
complacency  and  panic. 

-Tom  Garcia  @TomGarcia_IS 

“Do  not  put  your  work 
emails  on  your  mobile 
phone”  sounds  a  bit  like 
“do  not  put  your  work 
emails  on  your  notebook 
(on  any  computer)” 

-Stefan  Esser  @iOnlc 


24  www.csoonline.com  October  2012 


Oliver  Houbre 


Planning  for  the  Future  Workforce 


WHAT  WILL  THE  INFOR- 
mation  security  workforce  of 
the  future  look  like?  Somewhat 
different  than  the  current  work¬ 
force,  according  to  Alan  Ross, 
senior  principal  engineer  at 
Intel.  IT  security  functions  will 
likely  change  because  comput¬ 
ing  itself  is  changing  so  much- 
and  Intel  is  at  work  preparing 
for  the  new  security  landscape. 

“Our  compute  models  have 
evolved  along  with  our  users’ 
expectations;  we  are  no  lon¬ 
ger  in  the  compute  paradigms 
that  [built]  the  environment 
we  have  today-or  a  few  years 
ago,"  Ross  says.  “Cloud  comput¬ 
ing,  consumerization,  [bring 
your  own  device],  application 
development  and  transpar¬ 
ency  of  information  have  put  us 
at  the  point  where  we  need  to 
shift  the  focus  of  our  IT  strat¬ 
egy  and  architecture.” 


Even  while  shifting  their 
focus  to  these  new  areas,  or¬ 
ganizations  must  continue  to 
build  on  key  security  issues  that 
are  important  now,  including 
business  intelligence,  applica¬ 
tion  security,  data  protection, 
identity  and  access  manage¬ 
ment,  and  infrastructure. 

“Based  on  these  key  focus 
areas  and  the  combination  of 
the  threat  landscape,  legal  and 
regulatory  environments,  and 
new  compute  models,  we  see 
some  new  focus  areas  emerging 
for  the  security  of  the  work¬ 
force,”  Ross  says. 

These  emerging  areas  and 
job  functions  include  secu¬ 
rity  data  scientists  who  will 
work  with  big  data,  visualiza¬ 
tion,  correlation  and  prediction 
tools;  privacy  technologists 
who  will  focus  on  using  tech¬ 
nology  to  ensure  that  privacy 


laws  and  policies  are  being  met; 
user  experience  professionals 
who  will  focus  on  how  security 
affects  the  way  users  interact 
with  systems;  and  application 
security  experts. 

Application  security  “is  re¬ 
dundant  to  the  key  focus  areas, 
but  we  see  this  area  changing 
most  rapidly  and  a  skill  gap 
here,”  Ross  says. 

Intel  is  preparing  for  these 
changes  in  the  workforce  by 
developing  a  security  data  sci¬ 
entist  curriculum,  and  will  begin 
training  interested  employees 
in  making  the  transition.  “We 
are  also  cross-training  tech¬ 
nologists  on  privacy  so  they  can 
begin  to  make  the  change  for  us 
toward  a  privacy-technologist 
competency,”  Ross  says. 

The  company  has  a  formal 
user-experience  team  and  is 
using  the  team’s  expertise  “to 


help  us  understand  the  best 
way  to  design  user  experience 
into  our  new  security-related 
offerings,”  Ross  says.  “On  the 
application  security  front,  we 
are  training  our  developers  on 
a  secure  development  lifecycle 
and  also  working  toward  the 
right  tools,  technologies  and 
behaviors  to  enable  a  secure 
application  landscape.” 

Companies,  including  Intel, 
will  surely  face  challenges  in 
meeting  the  security  expertise 
demands  of  the  future. 

“We  will  continue  to  find  it 
difficult  to  match  talent  and 
passion  in  the  security  field,” 
Ross  says.  “It  is  a  rare  combina¬ 
tion  when  you  have  employees 
who  are  both  talented  and  pas¬ 
sionate  about  their  work,  and 
we  see  the  need  to  continue 
to  scale  our  security  workforce 
over  time,  specifically  in  [the 
emerging]  areas.” 

As  other  companies  become 
aware  of  some  of  these  needs, 
Ross  says,  “we  also  need  to 
keep  our  employees  grow¬ 
ing  and  engaged  along  with 
providing  the  right  level  of 
opportunities.” 

Another  challenge  is  that 
technology  is  moving  faster 
than  the  traditional  IT  de¬ 
velopment  lifecycle.  “We  no 
longer  have  the  luxury  of  tak¬ 
ing  months  to  years  to  deliver 
new  capabilities  and  services 
to  the  business,”  Ross  says. 
“Security  has  often  been  seen 
as  a  disabler  or  [as]  hindering 
development.  This  means  that 
our  business  groups  will  start  to 
look  outside  of  the  organization 
to  deliver  if  we  cannot  move 
fast  enough  and  exceed  their 
expectations.” 

-Bob  Violino 


October  2012  www.csoonline.com  25 


Jason  Schnider 


Cover  Story 


EXECUTIVES  SAY  SECURITY  IS 
IMPORTANT,  BUT  THEY  WON’T  PUT 
THEIR  MONEY  WHERE  THEIR  MOUTH  IS. 
WE  DISCUSS  THAT  AND  OTHER 
FINDINGS  FROM  THIS  YEAR’S  GLOBAL 
INFORMATION  SECURITY  SURVEY. 
BY  GEORGE  V.  HULME 


ANYONE  YOU  CARE  TO  ASK 

will  likely— and  reasonably— agree  that 
the  threats  against  IT  systems  and  data 
are  serious  and  organizations  need  to 
take  appropriate  steps  to  protect  then- 
infrastructure  and  information.  But 
if  you  look  at  the  practices  actually  in 
use  at  many  organizations,  it  becomes 
painfully  apparent  that  there’s  still  a 
wide  gulf  between  ideals  and  reality. 

That’s  no  shock  to  anyone  paying 
attention.  But  the  reasons  for  the  con¬ 
tinuing  gap  between  what  needs  to  be 
done  and  what’s  actually  done  have  re¬ 
mained  unchanged  for  years.  Business 
executives  and  security  managers  just 
can’t  get  in  sync.  That  is,  CEOs  and  ex¬ 
ecutives  talk  a  good  game  about  the  se¬ 
riousness  of  protecting  their  data,  but 
when  it  comes  time  to  put  resources 
and  capital  into  it,  they’re  not  willing. 

That’s  just  one  of  the  findings  of 
the  Tenth  Annual  Global  Informa¬ 
tion  Security  Survey  conducted 
by  CSO  and  CIO  magazines  and 
PricewaterhouseCoopers. 

This  year’s  survey  asked  12,052 
business  and  technology  executives 
about  the  security  efforts  at  their  orga¬ 
nizations.  Many  of  them  cited  lack  of 
security  leadership  and  effective  infor¬ 
mation  security  strategy  as  significant 
roadblocks.  Only  a  third  of  respon¬ 
dents  believe  security  policies  at  their 


October  2012  www.csoonline.com  27 


Cover  Story 


organizations  are  tightly  aligned  with  business  objectives. 

“Where  this  disconnect  happens,  the  security  group  is 
often  too  far  removed  from  the  groups  that  provide  rev¬ 
enue,”  says  Bill  Burns,  director  of  IT  security  and  network¬ 
ing  at  Netflix.  “As  a  result,  security  isn’t  seen  as  strategic, 
but  only  a  cost.” 

Some  security  professionals  think  their  own  peers  are 
one  of  the  primary  problems.  Jayson  Street,  who’s  CIO  at 
security  services  provider  Stratagem  l  Solutions  and  an  as¬ 
sistant  VP  of  information  security  at  a  national  bank,  con¬ 
tends  that  this  gap  between  business  and  security  teams  is 
not  primarily  the  fault  of  business  executives. 

“It  is  IT  security  that,  too  often,  is  failing  the  business. 
We  don’t  communicate  risk  well  enough,  and  why  the  risk 
is  worth  mitigating  in  a  business  perspective,”  Street  says. 

Jay  Leek,  SVP  and  CISO  at  the  Blackstone  Group,  largely 
agrees.  “Security  practitioners  don’t  always  invest  the  time 
necessary  to  make  the  best  business  cases  they  can  for  what 
they  need  to  accomplish,”  Leek  says.  “Where  are  you  try¬ 
ing  to  take  the  organization  with  your  security  investment  ? 
Why  are  you  trying  to  achieve  it?  What  risk  levels  are  you 
trying  to  set?  These  and  other  business  factors  need  to  be 
communicated  in  terms  that  business  leaders  can  relate  to 
so  they  can  accept  making  more  proactive  investments  in 
security  efforts.” 

FIGHTING  YESTERDAY’S  BATTLE 

Failure  to  align  security  and  business  objectives  and  prop¬ 
erly  fund  security  efforts  has  significant  consequences,  says 
Mark  Lobel,  a  principal  in  the  advisory  services  division 
of  PricewaterhouseCoopers.  “What  ends  up  happening  to 
these  organizations  is  that  they  fall  behind  and  it  becomes 
next  to  impossible  for  them  to  catch  up.  They  are  forced  to 
jump  from  one  problem  to  the  next,  from  malware  infec¬ 
tions  to  breaches  to  data  leaks,  from  regulatory  audit  find¬ 
ings  to  availability  issues.” 

The  results  this  year  show  that  organizations  are  indeed 
fighting  from  behind.  Only  about  half  of  all  organizations 
report  their  security  programs  are  mature  enough  that  they 
can  measure  and  review  the  effectiveness  of  their  policies 


and  procedures.  And  22  percent  are  not  sure  if  they  have 
reviewed  the  effectiveness  of  those  policies. 

“  Organizations  are  playing  by  ear,  and  they’re  still  playing 
the  way  networks  were  defended  a  decade  ago.  However, 
attackers  seem  to  be  upping  their  game  constantly,  which 
means  we  have  to  be  constantly  looking  at  the  effectiveness 
of  what  we’re  doing  to  stop  them,”  says  Lobel. 

Many  organizations,  nearly  43  percent,  believe  their  secu¬ 
rity  programs  are  effective  and  say  they  are  proactive  with 
security.  However,  many  industry  watchers  believe  these  or¬ 
ganizations  are  overestimating  their  programs.  This  was  a 
big  theme  in  our  survey  last  year.  ( See  “Are  You  an  IT  Securi¬ 
ty  Leader — Really?  ”  at  wvm.csoonline.com/article/6908S4.) 
“Organizations  typically  have  an  inflated  view  of  how  well 
they  are  doing  things,”  says  Mike  Rothman,  an  analyst  at 
the  security  research  firm  Securosis.  “That  view  is  of  course 
shattered  when  something  goes  wrong.  Then  it  turns  into  a 
game  of  finger-pointing  and  blame.” 

A  POOR  JUSTIFICATION 

Perhaps  one  big  obstacle  to  implementing  effective  security 
is  the  way  organizations  justify  their  security  spending.  At 
nearly  46  percent  of  enterprises,  changes  in  security  spend¬ 
ing  depend  on  general  economic  conditions.  At  about  a  third 
of  others,  the  need  to  protect  the  company’s  reputation  or 
meet  regulatory  compliance  dictates  the  security  budget. 

“Most  of  the  time  I  think  our  investment  in  security  is 
either  driven  emotionally  or  as  a  way  to  cut  costs,”  says  the 
security  officer  at  a  U.S.  manufacturer.  “Our  biggest  invest¬ 
ment  last  year  was  putting  in  place  self-service  password 
resets,”  he  says.  “We  did  very  little  in  way  of  hardening  our 
Internet-facing  systems  or  endpoints  because  the  cost  was 
viewed  as  too  high.” 

Determining  the  effectiveness  of  that  security  spending, 
at  35  percent  of  organizations,  is  done  by  subjective  profes¬ 
sional  judgement.  Other  common  effectiveness  metrics, 
some  of  which  are  used  in  combination,  are  reduced  inci¬ 
dents  ( 29  percent ) ,  total  cost  of  ownership  ( 24  percent ) ,  im¬ 
provement  against  security  metrics  (24  percent),  and  ROI 
(23  percent).  A  surprising  one  in  five  respondents  do  not 


“Where  this  disconnect  happens,  the  security 
group  is  often  too  far  removed  from  the  groups 
that  provide  revenue.”  -Bill  Burns,  director 
of  IT  security  and  networking  at  Netflix 


28  www.csoonline.com  OCTOBER  2012 


Jason  Schnider 


know  how  effectiveness  is  measured  in  their  organization. 

One  of  the  more  encouraging  findings  this  year  is  that 
relatively  few  security  incidents  were  reported.  A  full  31  per¬ 
cent  of  respondents  report  no  security  incidents  in  the  past 
year,  while  another  32  percent  say  that  they  experienced 
less  than  nine  incidents.  About  1.6  percent  of  organizations 
reported  experiencing  more  than  100,000  incidents. 

However,  the  financial  costs  for  companies  that  did  suf¬ 
fer  breaches  were  high,  averaging  more  than  $1.6  million 
for  each  breach  that  companies  were  required  to  publicly 
disclose.  At  6  percent  of  firms,  losses  totalled  more  than 
$10  million.  About  45  percent  of  organizations  attributed 
those  losses  to  a  variety  of  factors,  including  to  paying  for 
legal  services,  investigations,  forensics,  and  auditing  and 
consulting  services,  and  to  losing  customers.  Brand  and 
reputation  damage  was  blamed  for  about  27  percent  of 
security-related  losses. 

Another  reassuring  bit  of  news  is  that  in  the  year  ahead, 
security  investment  is  expected  to  rise  by  about  6  percent. 
And,  despite  the  fact  that  nearly  28  percent  of  companies 
plan  to  keep  their  security  spending  flat,  7  percent  of  compa¬ 
nies  plan  to  increase  their  spending  by  more  than  30  percent , 
and  nearly  15  percent  of  companies  plan  to  increase  spend¬ 


ing  by  between  11  percent  and  30  percent.  Only  9  percent 
anticipate  cutting  spending. 

Many  experts  are  concerned  that  the  security  invest¬ 
ments  aren’t  being  applied  to  the  right  areas,  especially  as 
so  many  firms  aren’t  measuring  the  effectiveness  of  the 
steps  they’re  taking  now.  “Generally,  we’ve  seen  a  decline 
in  investments  in  technologies  such  as  rogue-device  detec¬ 
tion,  intrusion-detection  systems,  vulnerability  scanning, 
event  correlation  and  similar  technologies,”  says  Lobel. 
“It’s  tough  to  succeed  at  security  if  you  are  not  investing  in 
technologies  to  test  your  infrastructure  and  monitor  what 
is  happening  on  it,”  he  says. 

WHERE  DO  YOU  GO  FROM  HERE? 

If  a  lack  of  security  leadership  is  a  serious  obstacle  to  im¬ 
proving  the  security,  what  are  CSOs  to  do  about  it? 

Leek,  the  CISO  of  the  Blackstone  Group,  believes  many 
CISOs  and  security  managers  have  not  set  up  the  proper 
levels  of  governance  or  explained  risk  management  as  it 
relates  to  the  business.  That’s  a  good  place  to  start. 

Learning  to  speak  in  plain  language  would  help,  too. 

“Many  talk  too  technical  and  get  too  excited  over  new  tech¬ 
nologies  and  attack  techniques  as  opposed  to  talking  about 


October  2012  www.csoonline.com  29 


Cover  Story 


the  underlying  business  problems  that  the  organization 
faces  and  minimizing  the  associated  risks,”  he  says. 

“The  other  piece  of  this  is  that,  because  many  don’t  get  a 
good  grip  on  their  security  program,  many  fall  into  a  reac¬ 
tive  firefighting  mode  and  they  get  stuck,”  says  Leek. 

The  best  way  to  get  out  of  that  rut,  experts  argue,  is  to  con¬ 
vince  management  that  IT  security  is  both  necessary  and 
strategic.  “I  strive  to  find  ways  to  translate  the  services  my 
team  provides  into  either  cost  savings  or  efficiency  gains,” 
says  Burns,  of  Netflix.  “The  holy  grail  is  to  translate  what 
you  are  into  a  competitive  advantage.  And  while  that’s  not 
always  possible,  it  is  often  possible  to  prove  that  some  of 


the  initiatives  make  a  better  customer  experience,  maintain 
trust  over  time  or.. .reduce  long-term  costs.  That  seems  to 
resonate  with  executives.” 

To  succeed,  Bums  advises  making  arguments  for  security 
from  the  perspective  of  the  business.  “When  I’m  planning 
my  pitch  for  something  new,  I  always  go  through  a  series  of 
‘  So  what  ?  ’  rounds  of  questions  with  myself,  as  if  asked  by  the 
executives.  If  I’m  telling  them  that  I’m  worried  about  this, 
or  we  need  to  invest  in  that,  I  need  to  be  able  to  answer  all  of 
those  ‘So  what?’  questions  from  their  perspective,”  he  says. 

A  key  to  being  able  to  answer  those  questions  is  measuring 
the  right  things.  This  way,  you  have  the  right  information  to 


Who  Took  the  Survey? 

PwC  surveyed  12,052  senior 

executives  in  early  2012. 

Respondents  were  divided 

fairly  equally  between  business 

titles  and  technology  jobs. 

■  Top  executives  (CEO/president/ 
managing  director)  made  up  the  largest 
group  of  respondents  at  12.5°/o 

■  CIOs  were  the  next  largest  group,  at  7.6% 

■  Project  managers  accounted  for  7.4% 

■  Systems  analysts  accounted  for  7.2% 

■  Numerous  IT-related  titles  and  other 
functions  such  as  audit,  operations  and 
compliance  are  represented  among 
respondents,  with  CISOs  accounting 
for  2.6%  of  respondents 


Spending  Trends 

Security  spending  over 
the  next  12  months... 

...will  increase  by  an  average  of  6%.  Jumps 
of  more  than  30%  power  the  overall  upward 
trend,  even  as  28%  of  companies  plan  to 
hold  steady  on  security  spending  and  9% 
plan  decreases.  18%  don’t  know  where 
security  spending  is  headed  at  their  companies. 

Spending  Drivers 

Economic  conditions  46% 

Business  continuity  and 
disaster  recovery  31% 

Company  reputation  30% 

Regulatory  compliance  29% 

Change  and  business  transformation  29% 
Internal  policy  compliance  28% 

Outsourcing  23% 

Criminal  theft  of  customer  or 
employee  information  19% 

Digital  convergence  trends 
(voice  over  IP,  etc.)  18% 

Hacktivism  (major  leak  of  confidential 
information,  e.g.  WikiLeaks)  17% 

Merger  and  acquisition  activity  15% 

Intellectual  property  theft  due  to  nation-state 
espionage  (advanced  persistent  threat)  13% 

Terrorism  10% 

Other  4% 


People-Based  Data- 
Privacy  Procedures 

Just  over  half  of  respondent 
companies  conduct  personnel 
background  checks 

45%  have  staff  to  monitor  employee  use  of 
the  Internet  and  other  information  assets 

41%  integrate  physical  and  data  security 
20%  do  none  of  these  things 

Tech-Based  Data- 
Privacy  Procedures 

Some  basic  security  tools 
are  in  place  at  less  than  60 
percent  of  firms  surveyed 

58%  are  using  malware-  and 
virus-protection  software 

57%  have  firewalls  and  OS 
patch  management 

53%  deploy  secure  user 
authentication  protocols 

51%  use  access-control  measures 

48%  use  identity  management 

44%  secure  Web  transactions  via  SSL 

42%  encrypt  full  disks  on  laptops 

39%  say  they  have  mobile-device  security 

35%  encrypt  portable  devices 

32%  control  data  copying  to  external  devices 


30  www.csoonline.com  October  2012 


help  make  better  risk-management  decisions  and  success¬ 
fully  argue  the  value  of  your  security  efforts.  “The  metrics  I 
found  more  effective  are  based  on  efficiency  or  achievement , 
as  opposed  to  just  measuring  activity,”  says  Burns.  “If  I  show 
someone  that  I  believe  my  security  program  is  effective  be¬ 
cause  I’m  counting  the  number  of  vulnerabilities,  or  missing 
patches,  that’s  interesting,  but  it’s  not  really  actionable,”  he 
says.  “The  more  successful  metrics  are  when  you  can  report 
how  much  time  it  takes  to  resolve  a  vulnerability,  for  instance. 
Numbers  like  that  show  the  efficiency,  rather  than  just  the 
amount  of  work  being  done,”  he  says. 

By  improving  how  the  security  program  is  measuring  and 


talking  about  the  risks  the  business  faces  in  clear  business 
terms,  it  becomes  much  easier  to  obtain  the  needed  re¬ 
sources.  “It’s  not  easy  to  do,  and  it’s  something  that  doesn’t 
happen  overnight,”  says  Leek.  But  making  a  compelling 
business  case  is  the  only  way  to  obtain  what’s  needed.  And 
what  happens  to  those  organizations  where  the  CSO  can’t 
make  their  case?  “They  end  up  understaffed  and  without 
the  resources  they  need.  And  that  makes  it  tough  to  succeed 
at  this,”  he  says. 


■  George  V.  Hulme  is  a  veteran  infosec  journalist  based  in  Minne¬ 
sota.  You  can  find  him  on  Twitter  as  @georgevhulme. 


Data-Privacy  Strategies 
and  Procedures 

73%  of  companies  have  an  overall 
information  security  strategy 

54%  have  an  information  security 
strategy  that  is  aligned  to  business  needs 

Just  under  half  of  companies  have 
security  baselines  and  standards  for  external 
partners,  customers,  suppliers  and  vendors; 
centralized  security  information  management 
processes;  identity-management  strategies; 
business  continuity  and  disaster  recovery 
plans;  security-awareness  training;  and 
security  standards  for  portable  devices. 

44%  have  a  mobile  security  strategy 

38%  have  a  strategy  for  social  media 

30%  have  a  plan  for  the  cloud 

More  than  half  have  standards 
for  infrastructure  deployment 
and  wireless  security. 

45%  have  a  strategy  for  personal 
devices  used  at  work 

42%  have  a  written  policy  concerning 
the  storage,  access,  and  transport  of 
records  containing  personal  data 

39%  use  cross-organizational  teams 
to  coordinate  and  communicate 
information  security  issues 


Assessment  and  Compliance 


What  process  information  security  safeguards  does  your 
organization  have  in  place  for  assessment  and  compliance? 


HAVE  IN 
PLACE 

OUT¬ 

SOURCE 

NOTIN 

PLACE 

Active  monitoring  and  analysis  of  information  security 
intelligence  (e.g.  vulnerability  reports,  log  files) 

56% 

19% 

15% 

Security  audits 

53% 

28% 

17% 

Risk  assessments  (internal) 

50% 

25% 

18% 

Threat  and  vulnerability  assessments 

47% 

28% 

18% 

Compliance  testing 

47% 

27% 

17% 

Auditing  and  monitoring  user 
compliance  with  security  policy 

46% 

22% 

19% 

Integration  with  privacy  and  compliance  plans 

41% 

22% 

19% 

Penetration  tests 

40% 

32% 

22% 

Risk  assessments  (external) 

37% 

23% 

25% 

Auditing  and  monitoring  employee  postings 
to  external  blogs  or  social  networking  sites 

35% 

24% 

24% 

Operations 

What  process  information  security  safeguards  does 
your  organization  have  in  place  for  operations? 


HAVE  IN 
PLACE 

OUT¬ 

SOURCE 

NOTIN 

PLACE 

Secure  disposal  of  technology  hardware 

52% 

22% 

16% 

Delegated  administration  of  password  reset 

50% 

22% 

13% 

Place  restrictions  on  physical  access  to 
records  containing  personal  information 

46% 

19% 

15% 

Outsourced  security  (some  or  all) 

29% 

32% 

20% 

Note:  Numbers  do  not  add  to  100  because  respondents  were  allowed  to  choose  more  than 
one  answer  to  each  question  and  not  all  respondents  answered  all  questions. 


October  2012  www.csoonline.com 


31 


Hour 


The  Old  Fashioned 

2  oz  bourbon 
1  tsp  sugar 
Bitters 

Splash  of  water 
Orange  twist 

Serve  over  ice. 

May  impair  judgment. 


r.  O 


O 

o£,  t'Or. 


o 


O 


V 


o  p 

O  ■ * 

5  O  O  -  >  o 

°  Cl. 


t’ 


1  ,  -at 

*  » 5 '  ^  >  j,y$'  >  | 

*.»  /.i  v* 


li 


V  0, 


,1 


* 


4 


The  Network  Specialist 

2  oz  Jack  Daniels 
4  oz  Mountain  Dew 

Se/ve  at  room  temperature. 

Can  substitute  Red  Bull  for 
either  ingredient. 

The  Board  Meeting 

6  oz  grappa 

Serve  just  before  announcing 
any  brand-impacting  incidents. 


*  r&f 


y  y 


The  Risk  Reducer 

16  oz  water 

One  81  mg  tablet  St.  Joseph’s 
aspirin 

/Is  needed.  Increase  effectiveness 
by  adding  two  airplane  tickets 
and  reservations  at  the  Blue 
Waters  Resort  in  Antigua. 


32  www.csoonline.com  OCTOBER  2012 


LEGAL  NOTICE 

U.S.  POSTAL  SERVICE  STATEMENT 
OF  OWNERSHIP.  MANAGEMENT  and 
CIRCULATION  (Required  by  39  U.S.C  3685) 

1.  Title  of  Publication:  CSO 

2.  Publication  No.:021-412 

3.  Date  of  filing:  September  12, 2012 

4.  Frequency  of  Issue:  10  Issues  yearly 
with  a  combo  Dec/Jan  and  Jul/Aug 

5.  Number  of  Issues  published  annually:  10 

6.  Annual  subscription  price:  Free  to  qualified 
subscribers/AII  other  in  U.S.  and  Canada  $70: 
Foreign  Subscriptions.  $95.00 

7.  Location  of  known  office  of  publication:  492 
Old  Connecticut  Path,  PO  Box  9208.  Framingham, 
MA  01701-9208  (Middlesex-Central  County). 

8.  Location  of  the  headquarters  of  general 
business  offices  of  the  publishers: 

CXO  Media,  492  Old  Connecticut  Path. 

PO  Box  9208,  Framingham,  MA 
01701-9208  (Middlesex-Central  County). 

9.  Names  and  addresses  of  the  publisher, 
editor  and  managing  editor: 

Publisher,  Bob  Bragdon.  492  Old  Connecticut 
Path,  Framingham,  MA  01701-9208. 
Editor-in-Chief.  Derek  Slater,  492  Old  Connecticut 
Path,  Framingham,  MA  01701-9208. 

Managing  Editors,  Bill  Brenner,  and  Joan 
Goodchild,  492  Old  Connecticut  Path, 
Framingham,  MA  01701-9208. 

10.  Owner:  International  Data  Group,  1 
Exeter  Plaza,  Boston,  MA  02116-2851. 

11.  Known  bondholders,  mortgages  and  other 
security  holders  owning  or  holding  1%  or 
more  of  total  amount  of  bonds,  mortgages  or 
other  securities:  International  Data  Group,  1 
Exeter  Plaza,  Boston,  MA  02116-2851,  None 

12.  For  completion  by  nonprofit  organizations 
authorized  to  mail  at  special  rates:  Not  applicable. 

13.  Publication  Name:  CSO 

14.  Issue  date  for  circulation  data  below: 
September  01. 2012. 

15.  Extent  and  nature  of  circulation: 

No.  Copies 
Average  No.  of  single 
Copies  each  issue 
issue  during  published 
preceding  nearest  to 


A.  Total  number  of  copies 
printed  (net  press  run) 

B.  Legitimate  paid  and/or 
requested  distribution  (by 
mall  and  outside  the  mail) 

1.  Outside  county  Paid/ 
Requested  mail  subscriptions 
stated  on  PS  Form  3541 

2.  In-county  paid/ 
requested  mail  subscriptions 
stated  on  PS  3541 

3.  Sales  through  dealers 
and  carriers,  street  vendors, 
counter  sales,  and  other 
non-USPS  paid  distribution 

4.  Requested  copies 
distributed  by  other  mail 
classes  through  the  LISPS 

C.  Total  paid  and/or 
requested  circulation 

D.  Nonrequested 
distribution  (by  mail 
and  outside  the  mail) 

1.  Outside  county 
nonrequested  copies 
stated  on  form  3541 

2.  In-county  nonrequested 
copies  stated  on 

form  PS  3541 

3.  Nonrequested  copies 
distributed  through  the  USPS 
by  other  classes  of  mail 

4.  Nonrequested  copies 
distributed  outside  the  mail 

E.  Total  nonrequested 
distribution  (Sum  of  15d 
(1),  (2).  and  (3)  and  (4)) 

F.  Total  distribution 
(Sum  of  15c  and  15e) 

G.  Copies  not  distributed 

H.  Total  (Sum  of  15f  and  15g) 

I.  Percent  paid  and/ 

or  requested  circulation 
(15c/15f  x  100) 


iZ  months 
29,465 


filing  date 
29,922 


28,360  28,363 


52 


53 


28,412  28,416 


896 


896 


1501 


1501 


29,308  29,917 

0  0 
29,308  29,917 

96.9%  95.0% 


I  certify  that  the  statements  made  by 
me  above  are  correct  and  complete. 


uu— 

Diana  Turco 
Circulation  Manager 


Thinkstock 


•  1 1 1  •  1 1 1 
CISCO 


FASTER  APPLICATIONS. 
FEWER  COMPLICATIONS. 
SMARTER  SERVERS. 

Move  from  the  physical  to  the  virtual  world  with  performance 
that  changes  the  server  landscape.  Move  to  the  Cisco  Unified 
Computing  System.™ 

With  the  industry’s  fastest  and  most  powerful  server  for  virtualization, 
Cisco  helps  you  move  to  a  whole  new  level  of  performance* 

Powered  by  the  Intel®  Xeon®  processor,  Cisco  Unified  Computing 
System™  is  the  server  that  moves  yesterday’s  data  center  into 
tomorrow’s  productivity  center. 

Learn  more  at  cisco.com/servers. 


*For  more  information,  visit  cisco.com/go/ucsbenchmarks. 

@2012  Cisco  and/or  its  affiliates  All  rights  reserved  All  third-party  products  belong  to  the  companies 
that  own  them.  Cisco,  the  Cisco  logo,  and  Cisco  UCS  are  trademarks  or  registered  trademarks  of 
Cisco  and/or  its  affiliates  in  the  U  S  and  other  countries.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are 
trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries.  All  other 
trademarks  are  the  property  of  their  respective  owners. 


The  #1  Security  Platform 
for  Virtualization 


and  the  Cloud I 


Protect  your  VMware ®  environment  with  Trend  Micro. 

Only  Trend  Micro  delivers  end-to-end  security  from  virtual  datacenters  and  private 
clouds  out  to  public  and  hybrid  clouds.  As  the  best  agentless  security  platform  for 
VMware  environments,  Trend  Micro  lets  you  maximize  your  virtualization  ROI 
while  seamlessly  enabling  comprehensive  compliance.  It’s  the  complete  package. 

For  more  information,  go  to:  trendmicro.com/completesecurity 


TREND 

MICRO 


Securing  Your  Journey  to  the  Cloud 


* Technavio  Insights  Report.  Global  Cloud  Security  Software  Market  2010-20 14 

©  2012  Trend  Micro,  Inc.  All  rights  reserved.  Trend  Micro  and  the  t-ball  logo  are  trademarks  or  registered  trademarks  of  Trend  Micro.  Inc. 
©  2012  VMware,  Inc.  All  rights  reserved.  VMware  and  VMworld  are  registered  trademarks  of  VMware,  Inc. 


